To increase security coverage and quickly resolve any issues in policy, Palo Alto Networks can seamlessly deliver software packages for Cortex XDR called content updates. Content updates can contain changes or updates to any of the following:
Starting with the Cortex XDR 7.1 agent release, Cortex XDR delivers the content update to the agent in parts and not as a single file, allowing the agent to retrieve only the updates and additions it needs.
Default security policy including exploit, malware, restriction, and agent settings profiles
Default compatibility rules per module
Local analysis logic
Processes included in your block list by signers
Behavioral threat protection rules
Ransomware module logic including Windows network folders susceptible to ransomware attacks
Event Log for Windows event logs and Linux system authentication logs
Python scripts provided by Palo Alto Networks
Python modules supported in script execution
Maximum file size for hash calculations in File search and destroy
List of common file types included in File search and destroy
Network Packet Inspection Engine rules
When a new update is available, Cortex XDR notifies the Cortex XDR agent. The Cortex XDR agent then randomly chooses a time within a six-hour window during which it will retrieve the content update from Cortex XDR. By staggering the distribution of content updates, Cortex XDR reduces the bandwidth load and prevents bandwidth saturation due to the high volume and size of the content updates across many endpoints. You can view the distribution of endpoints by content update version from the dashboard.
The Cortex XDR research team releases more frequent content updates in-between major content versions to ensure your network is constantly protected against the latest and newest threats in the wild. When you enable minor content updates, the Cortex XDR agent receives minor content updates, starting with the next content releases. Otherwise, if you do not wish to deploy minor content updates, your Cortex XDR agents will keep receiving content updates for major releases which usually occur on a weekly basis. The content version numbering format remains
XXX indicates the version and
YYYY indicates the build number. To distinguish between major and minor releases, XXX is rounded up to the nearest ten for every major release, and incremented by one for a minor release. For example,
190-<build_num> are major releases, and
191-<build_num> are minor releases.
To adjust content update distribution for your environment, you can configure the following optional settings:
Otherwise, if you want the Cortex XDR agent to retrieve the latest content from the server immediately, you can force the Cortex XDR agent to connect to the server using one of the following methods.
(Windows and Mac only) Perform manual check-in from the Cortex XDR agent console.
Initiate a check-in using the