Agent-based protection - Protect your workloads from various types of injection attacks, exploitation attempts, known vulnerabilities, automated tools, and more. - Administrator Guide - Cortex XDR - Cortex

Agent-based protection - Protect your workloads from various types of injection attacks, exploitation attempts, known vulnerabilities, automated tools, and more. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-11

Note

Web and API Security (WAAS) profiles and policies are currently a Beta feature.

Cortex XDR can protect your workloads from various types of injection attacks, exploitation attempts, known vulnerabilities, automated tools, and more. In addition, your cloud workloads can be protected against evolving threats aggregated from commercial threat feeds, open-source threat feeds, and input from the Palo Alto Networks Unit 42 research team.

Web and API Security profiles provide comprehensive real-time detection and protection for web-based applications and APIs running on Linux-based workloads, to prevent cloud attacks. These profiles can be applied to policies for such workloads.

You can configure Cortex XDR to either monitor traffic for threats, or to actively block them. A fully configurable profile gives you the flexibility to protect your workloads based on specific needs for each type of threat.

Follow these steps to configure profiles and policies for cloud workloads:

Task 1: Set up Web and API Security profiles
Task 2: Apply Web and API Security profiles to workloads
(Optional) Task 3: Configure exception rules, such as legacy exception rules and support exception rules. Disable prevention rules for specific use cases.

The following table summarizes the workload protection features provided by Cortex XDR prevention profiles and policies:

Module	Threat description
Advanced Threat Protection	Advanced Threat Protection (ATP) is a comprehensive security feature designed to detect, prevent, and respond to sophisticated Web and API threats, ensuring robust protection for workloads against evolving risks.
Authentication bypass	The Cortex XDR authentication bypass module protects against attacks that attempt to circumvent authentication controls through session manipulation, token exploitation, or credential abuse.
Automation tools	Cortex XDR detects and protects against automated tools or services that scrape website contents such as Scriptable headless web browsers, command line tools, or HTTP libraries.
Cross-Site Scripting (XSS) injection	Cortex XDR protects against XSS attacks, in which malicious JavaScript snippets are injected into otherwise benign and trusted websites. In such attacks, attackers try to trick the browser into switching to a JavaScript context and executing arbitrary code.
CVE exploits	Cortex XDR protects against exploitation attempts of known vulnerabilities (Common Vulnerabilities and Exposures (CVEs)).
Malformed Traffic	Cortex XDR identifies and protects against HTTP requests with anomalies that are not expected from common web browsers.
Injection attacks	Injection attacks are a form of attacks in which attackers attempt to insert malicious input into an application to manipulate its execution. For example, a code injection attack injects code which is interpreted by the application or other runtimes. Command and code payloads can either be injected as part of HTTP requests, or are included from local or remote files (also known as File Inclusion attacks).
Known bots	Cortex XDR can identify legitimate bots that properly declare their identity and purpose, such as search engine crawlers and authorized web indexers. These bots follow standard protocols and provide verifiable operator information, however some of them might cause undesirable behaviors, such as spam, and you might prefer to block such bots.
Offensive tools	Cortex XDR identifies offensive tools that scan web applications for known security vulnerabilities and misconfiguration, and exploit them.
Sensitive data exposure	Cortex XDR protects workloads from providing responses that could expose sensitive data found in critical system files, including password hashes (/etc/shadow), user account information (/etc/passwd), and private encryption keys.
SQL injection (SQLi)	Cortex XDR protects against SQLi attacks, which can occur when an attacker successfully inserts a malicious SQL query into the input fields of a web application. A successful attack can read sensitive data from the database, modify data in the database, or run arbitrary commands.

The following limitations currently exist for WAAS protection features:

Only Linux kernel version 5.13 and later, and cgroup v2 are supported.
The Linux kernel must be compiled with BPF support.
K8s network policy is not enforced.
Connections that were initiated before the XDR agent was started will not be inspected.
Inspection size is limited to 128 KB
In HTTP/2, XFF is only added when there is no existing XFF header.
The following are not supported:
- localhost interface
- K8s pod traffic between containers within the same node
- Multiple NICs on K8s nodes (only traffic using the default route is supported)
- Direct HTTPS connection (end-to-end encryption)
- Service-Mesh based communication
- UDP-based communication, including HTTP/3 and QUIC
- gRPC