Changes to Default Behavior in Cortex XDR Agent 8.3 - Release Notes - 8.3 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Security Operations

Cortex XDR Agent Release Notes

Product
Cortex XDR
Cortex XDR Agent
Version
8.3
Creation date
2024-06-19
Last date published
2024-07-10
Category
Release Notes
Abstract

Changes to default behavior in Cortex XDR agent 8.3 for Windows, macOS, and Linux endpoints.

This section details behavior changes that you may encounter when using a new version of the Cortex XDR agent. For further details, refer to the admin guide for your product.

Certificate enforcement for Windows and macOS endpoints

To improve security, the Cortex XDR agent 8.3 is now ensuring the use of a provided certificate without using the local fallback store (trusted root CA file). In order to graduate the adoption of this requirement, Disabled (Notify) is default for existing tenants; new tenants will have the Enabled configuration by default.

There are three modes of operation, set in the Agent Settings profile:

  • Enabled: Enforcement is enabled. Note, If the agent is initially unable to communicate without the local store, enforcement is not enabled and the agent will show as partially protected in the server UI.

  • Disabled (Notify): Enforcement is disabled. Agents with this policy will trigger a visible banner in the UI to notify customers about potential risk and direct them to change the certificate and the setting.

  • Disabled: Enforcement is disabled. Agents with this policy will trigger a visible banner in the UI to notify customers about potential risk. With this mode, the Last Certificate Enforcement Fallback column in the Endpoints table is not updated, and there are no management audit logs related to the local store fallback.