March 2023 - Release Notes - Cortex XDR - Cortex - Security Operations

Cortex XDR Release Notes

Cortex XDR
Creation date
Last date published
Release Notes

This section describes the new features and updates of the Cortex XDR 3.6 and Cortex XDR Agent 8.0 releases.

The Cortex XDR 3.6 and Cortex XDR Agent 8.0 releases includes the following enhancements:


Flexible Next-Gen Firewall and Prisma Access Data Ingestion (Requires a Cortex XDR Pro TB license)

To streamline connection and management of data ingestion, Cortex XDR is no longer dependent on the Cortex Data Lake. 

As of version 3.6, Palo Alto Networks data sources, including Next-generation Firewalls and Prisma Access logs, can be ingested and managed directly in Cortex XDR and you no longer need to connect to the Cortex Data Lake. 

Once your tenant has been activated, navigate to the Collection Integrations page to configure your integrations. Connect your Next-Gen Firewalls directly into XDR, selecting which sources will ingest data into the system. You can do so by connecting a firewall directly or using Panorama.

Session Timeout Enhancements

User interface session timeouts can now be configured to last up to 24 hours. To mitigate security concerns, an inactivity auto-logout has been added.

Cortex Gateway Tenant Renaming

To provide with you greater flexibility, you now have the option in the Cortex Gateway to rename your tenant. Tenant names must be unique and can only be renamed by a user with Instance Admin permissions.


New Identity Threat Module

Cortex XDR introduces our advanced Identity Threat Module to provide best-in-class coverage for stealthy identity threat vectors, including compromised accounts and insider threats.

  • New Identity Dashboard for reviewing the risk posture of the organization and allowing faster decision making.

  • New User/Host Risk View, which provides additional information about the asset, including score trend timeline, notable events, peer comparison, and additional asset-associated alerts and insights for easy uncovering of hidden threats.

  • New automated user and host role classification based on constant analysis of their activities. You can adjust these roles at any given time in order to fine-tune the assets associated with each role.

  • New Analytics alert layout that displays profile information for quicker triaging and investigation.

When you log in to Cortex XDR with a Pro license for the first time after the upgrade, Cortex XDR displays a banner that enables you to activate the Identity Threat module. The module is available for a free trial period ending on July 31, 2023. After this date, the module will be available as an Add-on.

XQL to_json_string Function Enhancements

(Requires a Cortex XDR Pro license)

The Cortex XDR Query Language (XQL) to_json_string function now returns the same string when the input to the function is a string. Previously, the function would return a JSON formatted string if the input was a string.

Top Incidents (Top 10) Widget Enhancements

The Top Incidents (Top 10) dashboard widget now includes scores, which can be used to sort the incident list.

SBAC (Scoped-Based Access Control) Support for Incident Configuration Settings

To continue to support scoped-based access control capabilities of alerts and incidents, it has also been applied to incident configuration settings. Based on the tags used to define scope, users now have access to configure the settings for the relevant alerts within their scope. This applies to all scoped users.

Incident Automation Rules and Logs

(Requires a Cortex XDR Pro license)

To enhance Cortex XDR's productivity of day to day tasks, new automation capabilities have been added to endpoint response actions, incident and alert management and external communication (email, slack, syslog) actions.

SmartScore Enhancements

To enhance your triaging and investigation capabilities, SmartScore will now provide scoring enrichment by indicating the main factors contributing to a score.

New Alert Suppression Counters

To improve visibility into alert suppression, Cortex XDR added counters in IOC, BIOC, and Analytics alert side panels which display the number of suppressed alerts and the timestamp of the last suppression for the alert. The counters are displayed for new alerts generated after upgrading to the current version.


Box, Dropbox, and OneLogin Data Collector Enhancements for Normalizing Logs to Stories

(Requires a Cortex XDR Pro per GB license)

To enhance your investigation capabilities, Cortex XDR now supports normalizing logs into stories, when either a Box, Dropbox, or OneLogin data collector is configured.

Normalization of Kubernetes Audit Logs

(Requires a Cortex XDR Pro per GB license)

To expand the current data ingestion capabilities when collecting Kubernetes audit logs, Cortex XDR now normalizes Kubernetes audit logs (API Server logs) for the following data collectors:

  • AWS:  Includes an option to Normalize audit logs (selected by default) when configuring an Amazon Elastic Kubernetes Service (EKS) log type.

  • Azure Event Hub: Azure Kubernetes Service (AKS) audit logs are automatically normalized when they are included in the logs.

  • Google Cloud Platform: Google Kubernetes Engine (GKE) audit logs are automatically normalized when they are included in the logs.

Okta Data Collector Enhancement to Minimize Repeated API Requests

(Requires a Cortex XDR Pro per GB license)

The Okta data collector in Cortex XDR is now improved to significantly reduce the number of requests made to the Okta API whenever an error is received indicating that too many requests have already been sent. In addition, to ensure you are properly notified about this, an alert is displayed in the Notification Area and a record is added to the Management Audit Logs.

Office 365 Data Collector Supports Collecting Alerts from Microsoft Graph Security API v2 Data Sources

(Requires a Cortex XDR Pro per GB license)

To expand the current data ingestion capabilities of the Office 365 data collector, Cortex XDR now enables you to configure collecting alerts from Microsoft Graph Security API v2 (beta version) data sources, which include alerts from various Microsoft 365 Defender products and Microsoft Purview Data Loss Prevention. This option is now available in addition to the previous option of collecting alerts from Microsoft Graph Security API v1 data sources.

To support this change, the previous option called Alerts from Microsoft Graph Security API is now renamed to Alerts. Select Alerts to collect alerts from Microsoft Graph Security API v1 data sources. To collect alerts from the new Microsoft Graph Security API v2 (beta version) data sources, select Alerts and the new option below called Use Microsoft Graph API v2.


Windows and Linux

For more information on maintenance releases, see Maintenance Releases.

XDR Collectors Infrastructure Improvements

(Requires a Cortex XDR Pro per GB license)

As part of our continuous infrastructure improvements, Cortex XDR has enhanced the XDR Collectors infrastructure, which is included in the current XDR Collectors 1.4.0 version.

Upgraded Filebeat Version to 8.2.3 for XDR Collectors Installation Package

(Requires a Cortex XDR Pro per GB license)

Cortex XDR now supports Filebeat version 8.2.3 when creating an XDR Collectors installation package.


From Filebeat version 8.2.3, fileset validation is now enforced. You must enable at least one fileset in the module as filesets are disabled by default.


Version 19.0.12

For more information on maintenance releases, see Maintenance Releases.

Broker VMs Page User Interface Enhancements and Updated Broker VM Web IP Address

To improve the user experience of the Broker VM management and operations in the user interface, Cortex XDR now revamped the Broker VMs page.

In addition, from Broker VM version 19.X.X and higher, use the following updated Broker VM web IP address: https://<broker_vm_ip_address>.:4443


New Behavioral Threat Protection Modules

To provide you with more detection and protection coverage capabilities, Cortex XDR introduces three new modules, Malicious Device Prevention, UAC Bypass Prevention, and Anti Tampering Protection.

  • Malicious Device Prevention (Windows)—Protects against potentially malicious devices being connected to an endpoint.

  • UAC Bypass Prevention (Windows)—Protects against bypassing UAC mechanisms associated with process privileges elevation.

  • Anti Tampering Protection (Windows and Mac)—Protects against tampering attempts, including modification and/or termination of the Cortex XDR agent.

You can select Enabled, Report Only, or Disabled for each module to decide the level of protection.

Endpoint Upgrade Status Reporting

Endpoint agent upgrade statuses can now be shown on custom dashboards, using new widgets. On the All Endpoints page, additional columns showing the last upgrade status, last upgrade status time, last upgrade failure reason, and last upgrade source have been added.

Agent Operational Status Visibility

To help you easily identify agent operational status in your environment, Cortex XDR now displays status details in the:

  • Sidebar view in the Endpoints table when the agent is not Protected.

  • Endpoint Dataset, enabling you to query the new field Operational Status Details.

Stationary iOS-based Device Monitoring

Cortex XDR can be configured to raise security events when stationary iOS-based endpoint devices change location or exhibit other suspicious state changes.


API Agent Operational Status Visibility

To help you easily identify agent operational status in your environment, the following fields are now displayed in the API responses:

  • Get Endpoint API response now includes the operational_status_details field.


    operational_status_description will be deprecated in the future release

  • Get All Endpoints API response now includes the operational_status field.

New User Risk APIs

To expand your API capabilities, you can now view Risk Score information using the following new APIs:

  • Get Risk Score - Request the risk score for specific users and endpoints along with the reason for each entity score.

  • Get Risky Users and Get Risky Hosts - View the top users and endpoints with the highest risk score along with the reason for each entity score.


Forensics support for macOS

Cortex XDR now supports the collection, processing, and analysis of macOS forensic artifacts including support for triage collections from online or offline hosts.