June 2023 - Release Notes - Cortex XDR - Cortex - Security Operations

Cortex XDR Release Notes

Cortex XDR
Creation date
Last date published
Release Notes

This section describes the new features and updates of the Cortex XDR 3.7 and Cortex XDR Agent 8.1 releases.

The Cortex XDR 3.7 and Agent 8.1 releases include the following highlights:

Security Modules

Cortex XDR introduces new prevention modules that provide more detection and protection coverage capabilities. This includes:

  • IIS Protection(Windows)—Protects against threats targeting the Internet Information Server (IIS).

  • Cortex XDR now provides In-process Shellcode Protection for Windows 32-bit processes.

Identity Threat Module Enhancements

Get deeper insights into threats and respond more effectively with our asset role enrichments for alerts, incidents, and XQL searches in the Identity Threat Module (ITM). Cortex introduces an improved peer scoring breakdown, a deeper understanding of the current host risk score, and a global host scores view for better risk management of your assets.

High Availability Cluster for Broker VMs

To ensure high availability (HA) in delivering services running on the Broker VM, Cortex XDR now includes a Broker VM HA Cluster, which is designed to provide redundancy of the Broker VM components in your network. The Broker VM HA Cluster eliminates the single node as a point of failure in multiple scenarios, such as failed hardware or software crashes, provides high availability and load balancing, and allows streamlined maintenance and upgrades.

Salesforce.com Data collector

(Requires a Cortex XDR Pro per GB license)

With the new native Salesforce.com integration, Cortex XDR can now ingest Salesforce Audit Trail and Security Monitoring events. This includes events such as login history and security events, that are critical for effective monitoring.

Dashboard Drilldowns

(Requires a Cortex XDR Pro license)

New Dashboard drilldowns provide users with interactive data insights when clicking on data points, table rows, or other visualization elements. Drilldowns can link to an XQL search, a custom URL, other dashboards, or a report. You can create drilldowns in XQL widgets.

New Broker VM image

Cortex XDR includes a new image for the Broker VM with an updated operating system (Ubuntu 20.04).

The Cortex XDR 3.7 and Cortex XDR Agent releases include the following enhancements:


Identity Threat Module - Risk Score Normalization

To enable a better understanding of the risk score of an asset in the Identity Threat Module,  Cortex XDR includes a risk level severity in the API. The severity categories are Low, Medium, or High, based on a deep analysis of the incidents in which the asset participated.

Cortex XDR Automation Enhancements

To expand the current automation capabilities of Cortex XDR:

  • Additional endpoint response and forensics-related actions were added.

  • Flexible configurable thresholds were added, with an option to indicate through email or Slack that these thresholds exceeded their limits.

Automatic Enrichment For Asset Role Tags in Alerts and Incidents

Cortex XDR now supports automatic enrichment for asset role tags for quick asset role extraction during incident response activities.


Malware Security Profile Capabilities for macOS

The Local File Threat Examination security module is now available for macOS. This provides extra protection for the agent and can optionally quarantine malicious files and terminate malicious processes on the endpoint.

Applying BIOC Rules to Prevention

To provide you with more granularity, Cortex XDR now enables you to manage detection separately from prevention when disabling a BIOC rule.

Agent Isolation (Linux)

You can now cancel the option to isolate an agent if the connection with the managing server is lost after a defined period of time.

Password Strength Requirement for Uninstall Password for Agent

To enhance Cortex security measures, a new password strength requirement is now enforced for Uninstall Password in the Agent settings profile.


Triage Public API

Cortex XDR has added an API for initiating forensic triage actions.

AnyDesk Log Support for Forensics

The forensics add-on now includes two new remote access artifacts: AnyDesk Trace Logs and AnyDesk Connection Logs. The addition of these artifacts expands the Cortex XDR ability to identify attacker infiltration and persistence within a network.


Data Ingestion Metrics

(Requires a Cortex XDR Pro per GB license)

New metrics with improved precision in tracing data collection. These metrics are saved in the metrics_source dataset, and are reflected on the Ingestion dashboard.

Okta Data Collector

(Requires a Cortex XDR Pro per GB license)

Additional Okta data collector event types have been added, and are now saved in the saas_audit_logs dataset.

Enhanced Event Forwarding Capability

(Requires a Cortex XDR Pro license and an Event Forwarding add-on license)

The Google Pub/Sub subscription has been implemented to ensure that you can download each file only once.

Parsing Rules Improved Error Reporting for Data Collection

(Requires a Cortex XDR Pro per GB license)

The parsing_rules_errors dataset was improved to help you identify and resolve errors during data collection.

NGFW Log Ingestion enhancements

(Requires a Cortex XDR Pro per GB license)

As part of the enhancements to the integration of NGFW through the native Cortex XDR data lake, NGFW log ingestion was also enhanced.

  • To reduce the ingestion volume of NGFW logs, Cortex XDR has optimized log volume consumption. As a result, NGFW logs consume less ingestion in comparison to previous releases.

  • To improve granularity and further reduce ingestion costs, you can opt out of collecting URL and File log types for all PANW integrations.

  • To improve visibility in NGFW log types, you can see a breakdown of each log type and its daily consumption quota on the new NGFW Ingestion Dashboard.

Improved Monitoring and Documentation of Integration Errors

(Requires a Cortex XDR Pro per GB license)

Cortex XDR now displays all API errors for data collectors on the Collection Integrations page. Each time an integration instance changes its status, an audit entry is added to the new collection_auditing dataset. Error entries are also logged as collection alerts in the data_ingestion_health dataset, which trigger health monitoring notifications in the UI.

Run Queries on Rewarmed Data at No Additional Cost

(Requires a Cortex XDR Pro license)

Cold storage queries are now faster and more efficient due to an improved data rewarm algorithm. Rewarmed data is saved in a temporary hot storage cache that is available for subsequent queries on the same time-range at no additional cost.


Windows and Linux

For more information on maintenance releases, see Maintenance Releases

XDR Collectors Log Monitoring

(Requires a Cortex XDR Pro per GB license)

To monitor the collection health of the XDR Collectors, Cortex XDR now provides an out-of-the-box template that collects log files in a designated dataset, panw_xdrc_raw.


Version 20.0.96

For more information on maintenance releases, see Maintenance Releases.

Broker VM Configuration Import

You can now copy the configuration of a Broker VM to another Broker VM. This also includes applet settings.


Supported from Broker VM version 20.0 and later

Broker VM Local Agent Settings Applet with 50K Agents

Each Local Agent Settings applet on the Broker VM now supports up to 50,000 agents, as opposed to only 10,000.

Timestamp Format Retrieval Value in the Database Collector Applet.

(Requires a Cortex XDR Pro per GB license)

You can now configure the retrieval value for a timestamp as an integer or a string. The following string timestamp formats are now supported:

  • ISO 8601 format

  • RFC 2822 format

  • Date strings with month names spelled out, such as “January 1, 2022”

  • Date strings with abbreviated month names, such as “Jan 1, 2022"

  • Date strings with two-digit years - MM/DD/YY


Cortex XQL Schema Reference Guide

The Cortex XQL Schema Reference Guide has been improved to provide the latest fields and field descriptions available in the xdr_data dataset.

XQL Boolean Operator

(Requires a Cortex XDR Pro license)

The Cortex Query Language (XQL) now includes a new boolean not operator to exclude data from your query.

XQL Function for Ordering Fields by Popularity

(Requires a Cortex XDR Pro license)

Cortex Query Language (XQL) now supports a column order function with the view stage. You can use this function when building a query and want to show results that contain empty fields with a null value last.


This option only applies within the Query Builder. Other XQL-based based functions within the system do not support this configuration.

XQL getrole Stage for Enriching Events with Specific Roles

(Requires a Cortex XDR Pro license)

Cortex Query Language (XQL) now includes a getrole stage to enhance investigation capabilities. It enriches events with specific roles associated with usernames or endpoints. The results are displayed in a new column called asset_roles.


This stage is unsupported in BIOCs and real-time Correlation Rules.


Gateway Supports View and Manage User-Groups Across All Products

To expand the current gateway capabilities, you can view and manage user-groups across all products.

Gateway Supports View and Manage RBAC Settings Across All Products

To expand the current gateway capabilities, you can view and manage tenants and role-based access control (RBAC) settings across all products.


Support Encryption for Download Files

To improve security measures, you can configure a password for all files that were downloaded during an investigation by the Cortex XDR agent.