About Content Updates - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

To increase security coverage and quickly resolve any issues in policy, Palo Alto Networks can seamlessly deliver software packages called content updates.

To increase security coverage and quickly resolve any issues in policy, Palo Alto Networks can seamlessly deliver software packages for Cortex XDR called content updates. Content updates can contain changes or updates to any of the following:


Starting with the Cortex XDR 7.1 agent release, Cortex XDR delivers the content update to the agent in parts and not as a single file, allowing the agent to retrieve only the updates and additions it needs.

  • Default security policy including exploit, malware, restriction, and agent settings profiles

  • Default compatibility rules per module

  • Protected processes

  • Local analysis logic

  • Trusted signers

  • Processes included in your block list by signers

  • Behavioral threat protection rules

  • Ransomware module logic including Windows network folders susceptible to ransomware attacks

  • Event Log for Windows event logs and Linux system authentication logs

  • Python scripts provided by Palo Alto Networks

  • Python modules supported in script execution

  • Maximum file size for hash calculations in File search and destroy

  • List of common file types included in File search and destroy

  • Network Packet Inspection Engine rules

When a new update is available, Cortex XDR notifies the Cortex XDR agent. The Cortex XDR agent then randomly chooses a time within a six-hour window during which it will retrieve the content update from Cortex XDR. By staggering the distribution of content updates, Cortex XDR reduces the bandwidth load and prevents bandwidth saturation due to the high volume and size of the content updates across many endpoints. You can view the distribution of endpoints by content update version from the dashboard.

The Cortex XDR research team releases more frequent content updates in-between major content versions to ensure your network is constantly protected against the latest and newest threats in the wild. When you enable minor content updates, the Cortex XDR agent receives minor content updates, starting with the next content releases. Otherwise, if you do not wish to deploy minor content updates, your Cortex XDR agents will keep receiving content updates for major releases which usually occur on a weekly basis. The content version numbering format remains XXX-YYYY, where XXX indicates the version and YYYY indicates the build number. To distinguish between major and minor releases, XXX is rounded up to the nearest ten for every major release, and incremented by one for a minor release. For example, 180-<build_num> and 190-<build_num> are major releases, and 181-<build_num>, 182-<build_num>, and 191-<build_num> are minor releases.

To adjust content update distribution for your environment, you can configure the following optional settings:

Otherwise, if you want the Cortex XDR agent to retrieve the latest content from the server immediately, you can force the Cortex XDR agent to connect to the server using one of the following methods.

  • (Windows and Mac only) Perform manual check-in from the Cortex XDR agent console.

  • Initiate a check-in using the Cytool checkin command.