This section describes the new features and updates of the Cortex XDR 3.12 and Cortex XDR Agent 8.6 release.
The Cortex XDR 3.12 and Cortex XDR Agent 8.6 release includes the following highlights:
FEATURE | DESCRIPTION |
---|---|
New Enterprise Multi-Tenant & MSSP licensing model | Introducing a new Enterprise Multi-Tenancy and Managed Security Service Providers (MSSPs) licensing model for Cortex XDR, streamlining the license management and monetization of child tenants. The new license allows MSSPs to own and manage child tenants on demand directly from the Gateway, in addition to the existing MSSP model. For Enterprise Multi-Tenancy administrators, the model provides a productized data segregation solution, offering greater flexibility when managing different business units. |
Enhanced Palo Alto Networks NGFW integration process | To streamline Palo Alto Networks NGFW Integrations, Cortex XDR now supports the onboarding of NGFW from multiple CSP accounts. Customers with multiple accounts can connect all of their accounts into a single Cortex tenant, ensuring the completeness of their data and also leverage the capabilities we offer through our native collector. |
Windows support for Cortex XDR agent for Cloud | The Prisma cloud vulnerability and compliance scanner integrated with the Cortex XDR agent now provides a unified agent that gives runtime security including vulnerability and compliance for Windows, matching the functionality on Linux-based operating systems. Windows Cortex XDR agent's security alerts and vulnerability data are now seamlessly forwarded and displayed in the Prisma console, enhancing comprehensive cloud security management without requiring special configuration. |
AI-powered PowerShell examination | AI-based PowerShell script examination is now available in the Windows Malware Profile as part of our local analysis, providing additional security measures and flexibility to block, quarantine, or report malicious files. |
Streamlined control over Linux operational mode | The Agent Operation Mode setting in the Linux Agent Settings Profile is available now, enabling administrators to select a Userspace fallback mode when Kernel Mode is unavailable. This fallback mode allows administrators to balance performance and stability according to their needs while enhancing customization and control over agent operations. |
The Cortex XDR 3.12 and Cortex XDR Agent 8.6 release includes the following enhancements:
General
FEATURE | DESCRIPTION |
---|---|
Export&Import Correlation Rules, Dashboards, and Report Templates
| You can now export and import correlation rules, dashboards, and report templates in a JSON format through the user interface. Easily transfer configurations between different environments, whether for onboarding, migration, backup, or sharing. |
Generic Persistence Analytics | Cortex XDR introduces advanced analytics-based generic detection suites to trigger alerts for start-up persistence techniques used by threat actors. These suites can point to the abused persistence mechanism and aid in the hunt for novel persistence techniques by identifying anomalous process execution on startup. |
Analytics Tags Highlights | Cortex XDR has updated the detectors inventory, introducing new analytics into both new and existing tags.
|
In-product support case | Cortex XDR now attaches the license JSON file when creating in-product support cases, streamlining the support process for efficient handling of licensing-related issues. |
New search field on the Configurations page | A new search field on the Configurations page provides a fast and easy search of your configuration options. |
Investigation and response
FEATURE | DESCRIPTION |
---|---|
Cortex XDR auditing | Cortex XDR now enables you to audit and query Cortex authentication logs and activity logs, using Auth and SaaS stories respectively, to track and trigger alerts about attacks that target Cortex XDR. |
Detection rules
FEATURE | DESCRIPTION |
---|---|
Enhanced preconfigured alert fields mapping in Correlation Rules | Cortex XDR has enhanced the preconfigured alert fields mappings when creating or editing Correlation Rules in the Alerts Fields Mapping section, so that each preconfigured field that is automatically mapped is clearly presented in the user interface. |
New Honey User asset role | Cortex XDR introduces a new asset role, Honey User, to help detect intrusion and exploitation attempts in your network. A Honey User is a decoy user that looks attractive to potential attackers, with access to many assets. You can configure users with the Honey User asset role to trigger alerts when there is an attempt to use the credentials of these users. |
Endpoint security
FEATURE | DESCRIPTION |
---|---|
Device control enhancements | Device control profiles for Windows endpoints now provide granular control for both Classic Bluetooth and Bluetooth Low Energy (BLE) devices. Permanent and temporary exceptions can also be configured. This additional control hardens communication with these types of peripheral devices. |
Device control violation notifications | Under the User Interface settings, device control violation notifications may be disabled or enabled on endpoints running agent version 8.6 and above. Notifications displayed on the agent are enabled by default. |
New exception configuration - Disable Prevention and Injection | Cortex XDR has added the exception configuration 'Disable Prevention and Injection'. This enables you to quickly address process issues. You can temporarily implement an exception rule to bypass a process from prevention modules and injections. Alerts are still generated from data collections. |
XDR Collectors
Windows 1.4.2.1373 and Linux 1.4.2.1302
For more information on maintenance releases, see Maintenance Releases.
FEATURE | DESCRIPTION |
---|---|
XDR Collectors 1.4.2 | This release includes performance improvements and bug fixes. |
Broker VM
Version 25.0.44 (reboot required)
For more information on maintenance releases, see Maintenance Releases.
FEATURE | DESCRIPTION |
---|---|
Broker VM 25.0.44 | This release includes performance improvements and bug fixes. |
External data ingestion and management
FEATURE | DESCRIPTION |
---|---|
Improved handling of NGFW log ingestion in CEF format | Palo Alto Networks NGFW logs ingested in CEF format using the Syslog collector provide similar protection, out-of-the-box data modeling and analytics to logs ingested into Strata Logging Service (SLS). This ingestion option can be used when NGFW devices are in locations that are not supported by SLS, or when bandwidth issues are encountered due to large log size. |
Improved email ingestion flows for GSuite | Enhanced Gmail collection capabilities now collect data from a list of email addresses, instead of from compliance email. This enhancement provides you with the flexibility to only collect a subset of the mailboxes or distribution lists used in your environment. |
Improved email ingestion flows for Microsoft 365 | The new Microsoft 365 (formerly Office 365) email collector provides easy set up. Emails are fetched through the API, using an authorized app in your Microsoft Azure tenant, so that a compliance mailbox is no longer required. |
Cortex Query Language (XQL)
FEATURE | DESCRIPTION |
---|---|
New XQL windowcomp stage and functions (Requires a Cortex XDR Pro license) | Cortex Query Language (XQL) now supports a new windowcomp stage that precedes functions calculating statistics. The results compute values over a group of rows and return a single result for each row. This stage includes the following functions:
Read more in windowcomp. |
New XQL array_any and array_all functions (Requires a Cortex XDR Pro license) | Cortex Query Language (XQL) now supports the following new array functions: |
API
FEATURE | DESCRIPTION |
---|---|
XQL query quotas | New return fields in |
The Cortex XDR 3.12 and Cortex XDR Agent 8.6 release includes the following changes to existing functionality:
COMPONENT | AREA | DESCRIPTION |
---|---|---|
Top Incidents widget | Widget Library | The Top Incidents widget has been renamed to Top Open Incidents. This widget appears on the Incident Management dashboard. |