October 2023 - Release Notes - Cortex XDR - Cortex - Security Operations

Cortex XDR Release Notes

Cortex XDR
Creation date
Last date published
Release Notes

This section describes the new features and updates of the Cortex XDR 3.8 and Cortex XDR Agent 8.2 releases.

The Cortex XDR 3.8 and Agent 8.2 releases include the following highlights:



Security modules

Cortex XDR introduces new prevention modules that provide more detection and protection coverage capabilities.

  • Container-escaping protection (Linux): Prevention against malicious attempts at escaping a container to gain access to the Linux host or to other container.

  • Ransomware Protection (macOS): Enhancement of the defense module to improve the protection against ransomware attacks on macOS endpoints.

Dynamic dashboards

(Requires a Cortex XDR Pro license)

Cortex XDR provides new capabilities for refining the scope of data on a dashboard. You can easily adapt dashboard data to fit a specific investigation, and filter data across all dashboard widgets. These capabilities include:

  • Defining fixed dashboard filters based on static or dynamic inputs. Dashboard users can select single or multiple values by which to filter the data. These filters affect all of the dashboard widgets that use the configured parameter in their query.

  • Defining in-dashboard drilldowns that trigger contextual changes on the dashboard.

  • Defining drilldowns that map parameters to target dashboards.

Flexible hot storage retention license

To help accommodate varying storage requirements for different retention periods and datasets, Cortex XDR now includes a new additional Hot Storage license. This license enables you to set the amount of flexible Hot Storage based retention designated for a dataset and the priority for the dataset’s Hot Storage. You can purchase this storage-based license instead of our current period-based retention licenses, which is managed from the Dataset Management page. Read more in License Retention and Dataset Management.

New cloud security agent (Beta)

To ease the protection and visibility efforts in your cloud environment, customers using both Cortex and Prisma Cloud Compute solutions can use a single agent providing end to end prevention and vulnerability coverage on Linux cloud platforms.

Reach out to your Palo Alto Networks representative to activate the full beta capabilities.

New Broker VM image

Cortex XDR now includes a new Broker VM image with enhanced capabilities, as well as an updated operating system (Ubuntu 20.04).

Going forward, upgrading Broker VMs to a new version will only be supported by brokers installed with this new image.

Instructions for migrating your brokers to the new image are explained here.

New XQL incidents and alerts datasets

(Requires a Cortex XDR Pro license)

To help you query data related to the Incidents and Alerts tables, Cortex XDR now includes new datasets called incidents and alerts.

MBR Protection Module

Cortex XDR introduces an improved detection engine on the Cortex XDR agent to enhance its protection against malicious Master Boot Record (MBR) manipulations.

The Cortex XDR 3.8 and Cortex XDR Agent 8.2 releases include the following enhancements:

Investigation and Response



Incident page enhancements

The Incident Overview tab was revised to provide an improved incident response and investigation experience, including fonts, sizing, and other UI improvements.

New incident lifecycle widgets

New and improved widgets help you measure the operational efficiency of incident and alert handling, and identify issues in the incident response process. The widgets identify peaks in incident and alert creation, provide visibility into the incident lifecycle, and help balance workloads by identifying the incidents assigned to each analyst:

  • Open Incidents

  • Incidents by Status Duration

  • Open Incidents by Assignee Over Time

Endpoint Security



Risky prevention policies notifications

Cortex XDR introduces a new feature that identifies risky prevention policies based on Palo Alto Networks best-practice policy settings. Admins can review and update flagged policies to enhance global security posture.

XDR Collectors

Windows and Linux

For more information on maintenance releases, see Maintenance Releases.



XDR collectors upgraded Filebeat and Winlogbeat versions

(Requires a Cortex XDR Pro per GB license)

Cortex XDR now supports using Filebeat and Winlogbeat version 8.8.1 when using XDR collectors on Windows and Linux machines.

Updated XDR Collectors for Linux and Windows Python versions

(Requires a Cortex XDR Pro per GB license)

Cortex XDR has upgraded the XDR Collectors to use Linux Python 3.9.17 and Windows Python 3.7.17 on 32-bit or 64-bit.

Broker VM

Version 21.1.12

For more information on maintenance releases, see Maintenance Releases.



Broker VM 21.1.12

This release includes performance improvements and bug fixes.

External Data Ingestion and Management



Lookup management enhancements

  • The Files and Folders Collector was enhanced with an option to automatically collect reference data into a lookup dataset. Read more in Activate the Files and Folders Collector.

  • While importing data manually from a file into an existing dataset using the Add Lookup option in the Dataset Management screen, you can now select to replace the existing data in the dataset.

  • You can now manually edit existing lookup datasets to update reference data directly from the console.

Cortex Query Language (XQL)



New XQL convert_to_base_64 function

(Requires a Cortex XDR Pro license)

Corex XDR now supports a new function called convert_to_base_64, which converts the base64-decoded input to the encoded string format. See more in convert_to_base_64.

New XQL datasets subset of xdr_data

(Requires a Cortex XDR Pro license)

To provide faster query results, instead of querying the entire xdr_data dataset, Cortex XDR added the following three datasets:

  • vpn_logs: VPN logs, such as GlobalProtect.

  • auth_logs: Authentication logs, such as Okta.

  • login_logs: Login logs, such as WEC.

The fields contained in any of these datasets are a subset of the fields in the xdr_data dataset.

New system field added to XDR Collectors datasets

(Requires a Cortex XDR Pro per GB license)

A new system field called _collector_internal_ip_address was added to all XDR Collector datasets including Filebeat and Winlogbeat data. This system field provides the internal IP of the endpoint.




New Cortex In-App documentation

Cortex XDR now includes in-product documentation that helps you find information about new and existing features, reference material, and common workflows. While you're working with Cortex products (XDR/XSIAM/XSOAR), the documentation will launch relative to your current location from within the product.

Stay tuned for the Help Chat (which will gradually be rolled out), as part of the Cortex XDR Help Center. With the AI driven Help Chat, you will be able to asks questions about features and tasks and immediately receive a response.

Enabling automatic backup in Cortex XDR

To better secure your machines against ransomware attacks, a new solution based on native operating system backup mechanisms (Time Machine from MacOS and Shadow Copy from Windows) allows customers to turn on automatic backups from Cortex XDR.

Cortex SSO improvements

For SSO configuration of Cortex XDR, you now have the option to enter a metadata URL, rather than manually providing the IdP SSO URL, issuer ID and x.509 certificate.

Refresh all dashboard widgets

Dashboards now include a refresh icon that updates the data for all dashboard widgets with a single click.

Analytics Detector Tags

A new tag type, Detector Tags, has been added to Alerts, Incidents, and Analytics BIOC Rules. This tag enables you to filter for specific detectors such as Identity Threat, Identity Analytics, Alert Analytics. The addition of Detector Tags enables more efficient data analysis and threat management.

The Cortex XDR 3.8 and Cortex XDR Agent 8.2 releases include the following changes to existing functionality:




User Space Mode for Container-Optimized OS (COS)

Container-Optimized OS on Google Cloud Platform

For Google Container-Optimized OS (COS) on Google Cloud Platform, Cortex XDR agent now enforces User Space Mode. Kernel Mode on this platform is no longer supported.

See more information about configuration requirements and limitations in the Cortex XDR Agent Administration Guide.

Total Incident widget

Widget library

The Total Incident widget has been renamed to Open Incidents and includes new functionality. You can now group the graph data by hour, day, or week, and you can choose to display data about incidents or alerts.

Incident Management Dashboard and Report

Dashboards and Reports

The Incident Management Dashboard and Report templates have been updated to include the new Open Incidents and Open Incidents by Assignee Over Time widgets.