Agent Settings Profiles enable you to customize Cortex XDR agent settings for different platforms and groups of users.
Agent Settings Profiles enable you to customize Cortex XDR agent settings for different platforms and groups of users.
Add a new profile.
From Cortex XSIAM, select → → → → and select whether to Create New or Import from File a new profile.
Note
New imported profiles are added and not replaced.
Select the platform to which the profile applies and Agent Settings as the profile type.
Click Next.
Define the basic settings.
Select a unique Profile Name to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
To provide additional context for the purpose or business reason for creating the profile, specify a profile Description. For example, you might include an incident identification number or a link to a help desk ticket.
(Windows, Mac, and Linux only) Configure the Disk Space to allot for Cortex XDR agent logs.
Specify a value in MB from 100 to 10,000 (default is 5,000).
(Windows and Mac only) Configure User Interface options for the Cortex XSIAM console.
By default, Cortex XSIAM uses the settings specified in the default agent settings profile and displays the default configuration in parenthesis. When you select a setting other than the default, you override the default configuration for the profile.
Tray Icon—Choose whether you want the Cortex XDR agent icon to be Visible (default) or Hidden in the notification area (system tray).
XDR Agent Console Access—Enable this option to allow access to the Cortex XSIAM console.
XDR Agent User Notifications—Enable this option to operate display notifications in the notifications area on the endpoint. When disabled, the Cortex XDR agent operates in silent mode where the Cortex XDR agent does not display any notifications in the notification area. If you enable notifications, you can use the default notification messages, or provide custom text for each notification type. You can also customize a notification footer.
From version 7.8, you can enable the option to maintain a persistent notification regarding the disconnection of the endpoint from the network. The settings, Persistent Isolation Notification and Blocked Connectivity Notification must be enabled. Until the threat on the endpoint has been removed, the endpoint remains disconnected from the network.
Live Terminal User Notifications—Choose whether to Notify the end user and display a pop-up on the endpoint when you initiate a Live Terminal session. For Cortex XDR agents 7.3 and later releases only, you can select to Request end-user permission to start the session. If the end user denies the request, you will not be able to initiate a Live Terminal session on the endpoint.
(Cortex XDR agent 7.3 and later releases only) Live Terminal Active Session Indication—Enable this option to display a blinking light () on the tray icon (or in the status bar for Mac endpoints) for the duration of the remote session to indicate to the end user that a live terminal session is in progress.
(Android only) Configure network usage preferences.
When the option to Upload Using Cellular Data is enabled, the Cortex XDR agent uses cellular data to send unknown apps to the Cortex XSIAM for inspection. Standard data charges may apply. When this option is disabled, the Cortex XDR agent queues any unknown files and sends them when the endpoint connects to a Wi-Fi network. If configured, the data usage setting on the Android endpoint takes precedence over this configuration.
(Windows and Mac only) Configure Agent Security options that prevent unauthorized access or tampering with the Cortex XDR agent components.
Use the default agent settings or customize them for the profile. To customize agent security capabilities:
Enable XDR Agent Tampering Protection.
Note
If you choose the Enabled option, you must also set Anti Tampering Protection in the Malware profile to Block, and ensure that both profiles are assigned to the same endpoints.
(Windows only) By default, the Cortex XDR agent protects all agent components, however, you can configure protection more granularly for Cortex XDR agent services, processes, files, and registry values according to the following options: With Traps 5.0.6 and later releases, when protection is enabled, access will be read-only. In earlier Traps releases, enabling protection disables all access to services, processes, files, and registry values.
Service Protection-Protects against stopping the agent services. When this protection is on, the service won't accept OS requests to stop willingly.
Process Protection-Protects against tampering attempts with the agent processes; injecting into them, terminating them, reading, or writing into their virtual memory.
File Protection-Protects against tampering attempts with the agent files; deleting, replacing, renaming, moving, or writing files/directories.
Registry Protection-Protects against tampering attempts with the agent registry settings and agent policies, for example; deleting, adding, and renaming registry keys or values which belong to the agent.
Pipe Protection-Protects against tampering attempts with the agent pipe-based inter-process communication (IPC) mechanism.
(Windows and Mac only) Configure an Uninstall Password.
Define and confirm a password the user must specify to uninstall the Cortex XDR agent. The uninstall password is encrypted using an encryption algorithm (PBKDF2) when transferred between Cortex XSIAM and Cortex XDR agents. Additionally, the uninstall password is used to protect against tampering attempts when using Cytool commands.
A new password must satisfy the Password Strength indicator requirements:
Must be 8 to 32 characters.
Contain at least one upper-case, at least one lower-case letter, at least one number, and at least one of the following characters:
!@#%
.
(Windows only) Configure Windows Security Center Integration.
The Windows Security Center is a reporting tool that monitors the system health and security state of Windows endpoints on Windows 7 and later releases:
Enabled—The Cortex XDR agent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows shuts down Microsoft Defender on the endpoint automatically, except for endpoints that are running Windows Server versions. To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from endpoints that are running Windows Server versions and where the Cortex XDR agent is installed.
Enabled (No Patches)—For the Cortex XDR agent 5.0 release only, select this option if you want to register the agent to the Windows Security Center but prevent from Windows automatically install Meltdown/Spectra vulnerability patches on the endpoint.
Disabled—The Cortex XDR agent does not register to the Windows Action Center. As a result, Windows Action Center could indicate that Virus protection is Off, depending on other security products that are installed on the endpoint.
Note
When you Enable the Cortex XDR agent to register to the Windows Security Center, Windows shuts down Microsoft Defender on the endpoint automatically. If you still want to allow Microsoft Defender to run on the endpoint where Cortex XSIAM is installed, you must Disable this option. However, Palo Alto Networks does not recommend running Windows Defender and the Cortex XDR agent on the same endpoint since it might cause performance issues and incompatibility issues with Global Protect and other applications.
Configure Alerts Data collection options.
When the Cortex XDR agent raises alerts on process-related activity on the endpoint, the Cortex XDR agent collects the contents of memory and other data about the event in what is known as an alert data dump file. You can customize the Alert Data Dump File Size—Small, Medium, or Full (the largest and most complete set of information)—and whether to Automatically Upload Alert Data Dump File to Cortex XSIAM. During event investigation, if automatic uploading of the alert data dump file was disabled, you can manually retrieve the data.
(Requires a Cortex XDR Pro per Endpoint license) Enable and configure Cortex XDR Pro Endpoint capabilities on the endpoint, including enhanced data collection, advanced responses, and available Pro add-ons.
Enable XDR Pro Endpoints Capabilities to configure which Pro capabilities to activate on the endpoint.
The Pro features are hidden until you enable the capability. Enabling this capability consumes a Cortex XDR Pro per Endpoint license.
(Supported on Cortex XDR agent 6.0 or later for Windows endpoints, and Cortex XDR agent 6.1 or later for Mac and Linux endpoints) Enable Monitor and Collect Enhanced Endpoint Data.
By default, the Cortex XDR agent collects information about events that occur on the endpoint. If you enable Behavioral Threat Protection in a Malware Security profile, the Cortex XDR agent also collects information about all active file, process, network, and registry activity on an endpoint (see Endpoint Data Collection). When you enable the Cortex XDR agent to monitor and collect enhanced endpoint data, you enable Cortex XSIAM to share the detailed endpoint information with other Cortex apps. The information can help to provide the endpoint context when a security event occurs so that you can gain insight into the overall event scope during an investigation. The event scope includes all activities that took place during an attack, the endpoints that were involved, and the damage caused. When disabled, the Cortex XDR agent will not share endpoint activity logs.
(Requires Host Insights add-on and Cortex XDR agent 7.1 or later releases) Enable Host Insights Capabilities.
Enable Endpoint Information Collection to allow the Cortex XDR agent to collect Host Inventory information such as users, groups, services, drivers, hardware, and network shares, as well as information about applications installed on the endpoint, including CVE and installed KBs for Vulnerability Assessment.
When enabled, the Cortex XDR agent collects detailed information about files on the endpoint to create a files inventory database. The agent locally monitors any actions performed on these files and updates the local files inventory database in real-time.
With this option you can also select the File Search and Destroy Monitored File Types where Cortex XSIAM monitors all file types or only common file types. If you choose Common file types, Cortex XSIAM monitors the following file types:
Windows—
bin, msi, doc, docx, docm, rtf, xls, xlsx, xlsm, pdf, ppt, pptx, pptm, ppsm, pps, ppsx, mpp, mppx, vsd, xsdx
andwsf
.A hash will also be computed for these file types:
zip, pe,
andole
.File size is limited to 30 MB by default. Searches of files larger than 30 MB by hash are not supported.
Mac—
acm, apk, ax, bat, bin, bundle, csv, dll, dmg, doc, docm, docx, dylib, efi, hta, jar, js, jse, jsf, lua, mpp, mppx, mui, o, ocx, pdf, pkg, pl, plx, pps, ppsm, ppsx, ppt, pptm, pptx, py, pyc, pyo, rb, rtf, scr, sh, vds, vsd, wsf, xls, xlsm, xlsx, xsdx,
andzip
.
Additionally, you can exclude files that exist under a specific local path on the endpoint from inclusion in the files database.
(Requires Forensics Add-on and Cortex XDR agent 7.4 or later for Windows endpoints) Enable Monitor and Collect Forensics Data to allow the Cortex XDR agent to collect detailed information about what happened on your endpoint to create a forensics database. Define the following if to enable collection and in what time intervals of the following entity types:
Process Execution
File Access
Persistence
Command History
Network
Remote Access
Search Collections
Data collected by the agent is displayed in the Forensic Data Analysis page.
When enabled, the Cortex XDR agent scans your network using Ping or Nmap to provide updated identifiers of your unmanaged network assets. Ping scans return the IP address, MAC address, Hostname, and Platform, whereas Nmap will scan the most common ports for the IP address, Hostname, Platform, and OS version.
The scan is performed according to the subnets detected in each network interface found on the endpoint, and up to a maximum of ~1K IP addresses calculated according to agent_ip/22. For example, an agent with the IP address 121.121.121.121 will be assigned the scan range: 121.121.120.1 - 121.121.123.254 (1024 addresses). Each agent is assigned scan ranges randomly from all the scannable subnets, so the same agent can scan multiple subnets.
The following criteria effects the scan:
There must be at least two endpoints detected in order to assign a scan.
Network Location configuration must be enabled.
Subnet masking settings and service name configurations influence the scan.
Excluded IP address ranges are not scanned.
In the Network Location Configuration section, set the Action Mode to Enabled.
In the Distributed Network Scan section, set the Action Mode to Enabled.
In Scan Mode, select Nmap or Ping.
Note
When using Nmap, the Cortex XDR agent downloads an Nmap driver for the duration of the scan and removes the driver upon completion. If an Nmap scan is in process, Cortex XDR identifies the Nmap driver and places any additional scans in a queue.
The scan is performed according to the subnets detected in each network interface found on the endpoint.
Select if you want to Excluded IP Address Ranges. The IP address ranges are populated from your Network Configurations.
If you selected Nmap, enable or disable whether to return the OS Fingerprinting of the IP address.
Depending on the type of scan you defined, the agent Ping scan takes 30 minutes and Nmap 60 minutes. Following each scan, Cortex XDR aggregates the IP address collected and displays the results in the Asset Management table.
Configure XDR Cloud settings.
By default (auto detect mode), the agent detects whether an endpoint is a cloud-based (container) installation or a permanent installation, and uses license allocation accordingly.
Auto detect automatically detects whether the endpoint is cloud-based, or a permanent installation, and applies the appropriate license.
Enabled treats any agent using this profile as if it is a cloud-based agent for licensing purposes.
Configure Response Actions.
If you need to isolate an endpoint but want to allow access for a specific application, add the process to the Network Isolation Allow List. The following are considerations to the allow list:
When you add a specific application to your allow list from network isolation, the Cortex XDR agent continues to block some internal system processes. This is because some applications, for example, ping.exe, can use other processes to facilitate network communication. As a result, if the Cortex XDR agent continues to block an application you included in your allow list, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then add that process to the allow list.
(Windows) For VDI sessions, using the network isolation response action can disrupt communication with the VDI host management system thereby halting access to the VDI session. As a result, before using the response action you must add the VDI processes and corresponding IP addresses to your allow list.
+Add an entry to the allow list.
Specify the Process Path you want to allow and the IPv4 or IPv6 address of the endpoint. Use the
*
wildcard on either side to match any process or IP address. For example, specify*
as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify*
as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.Click the check mark when finished.
(Windows and Mac only) Configure Backup Management.
For Windows, you can enable or disable Shadowcopy Activation, If enabled, this automatically turns on the system protection of the endpoint. This ensures that the data is backed up and may be recovered in cases of any security breaches or loss of data.
For MacOS, you can enable or disable Time Machine Activation. If enabled, this automatically turns on the Time Machine setting of the endpoint. This ensures that the data is backed up and may be recovered in cases of any security breaches or loss of data.
(Linux only) Configure settings to automatically Revert Endpoint Isolation of an agent. When this feature is enabled, agent isolation will be canceled when a connection with the managing server is lost for the defined continuous period of time.
Either keep the recommended default setting (Enabled), or change it by selecting Disabled in the Revert Isolation field.
Set a time unit (Hours or Days) and enter the number of hours or days. We recommend 24 hours (default).
(Supported on Cortex XDR agent 7.0 or later for Windows endpoints and Cortex XDR agent 7.3 or later for Mac and Linux endpoints) Specify the Content Configuration for your Cortex XDR agents.
Content Auto-update—By default, the Cortex XDR agent always retrieves the most updated content and deploys it on the endpoint so it is always protected with the latest security measures. However, you can Disable the automatic content download. Then, the agent stops retrieving content updates from the Cortex XSIAM Server and keeps working with the current content on the endpoint.
Note
If you disable content updates for a newly installed agent, the agent retrieves the content for the first time from Cortex XSIAM and then disables content updates on the endpoint.
When you add a Cortex XDR agent to an endpoint group with a disabled content auto-upgrades policy, the policy is applied to the added agent as well.
Content Rollout—The Cortex XDR agent can retrieve content updates Immediately as they are available, or after a pre-configured Delayed period. When you delay content updates, the Cortex XDR agent will retrieve the content according to the configured delay. For example, if you configure a delay period of two days, the agent will not use any content released in the last 48 hours.
Warning
If you disable or delay automatic-content updates provided by Palo Alto Networks, it may affect the security level in your organization.
Agent Auto-Uprade is disabled by default. Before enabling Auto-Update for Cortex XDR agents, make sure to consult with all relevant stakeholders in your organization.
Select the Automatic Upgrade Scope:
Latest agent release
One release before the latest one
Only maintenance release
Only maintenance release in a specific version
If you choose One release before the latest one, Cortex XSIAM upgrades the agent to the previous release before the latest, including maintenance releases.
Select the Upgrade Rollout:
Immediate
Delayed—Specify the Delay Period In Days using a numeric value. Optional values are
7
through 45.
To control the agent auto upgrade scheduler and number of parallel upgrades in your network, see Configure Global Agent Settings.
Note
Automatic upgrades are not supported with non-persistent VDI and temporary sessions.
(Optional) For Critical Environment (CE) versions, make sure to select if you want to upgrade your CE versions only within the CE lines. It can take up to 15 minutes for new and updated auto-upgrade profile settings to take effect on your endpoints.
(Supported on Cortex XDR agent 7.0 or later for Windows endpoints and Cortex XDR agent 7.3 or later for Mac and Linux endpoints) Specify the Download Source for agent and content updates.
To reduce your external network bandwidth loads during updates, you can select the Download Source(s) from which the Cortex XDR agent retrieves agent release upgrades and content updates: from a peer agent in the local network, from the Palo Alto Networks Broker VM, or directly from the Cortex server. If all options are selected in your profile, then the attempted download order is first using P2P, then from Broker VM, and lastly from the Cortex Server.
(Requires Cortex XDR agents 7.4 and later for P2P agent upgrade) P2P— Cortex XSIAM deploys serverless peer-to-peer P2P distribution to Cortex XDR agents in your LAN network by default. Within the six hour randomization window during which the Cortex XDR agent attempts to retrieve the new version, it will broadcast its peer agents on the same subnet twice: once within the first hour, and once again during the following five hours. If the agent did not retrieve the files from other agents in both queries, it will proceed to the next download source defined in your profile.
To enable P2P, you must enable UDP and TCP over the defined PORT in Download Source. By default, Cortex XSIAM uses port 33221. You can configure another port number.
(Requires Cortex XDR agents 7.4 and later releases and Broker VM 12.0 and later) Broker VM—If you have a Palo Alto Networks Broker VM in your network, you can leverage the Local Agent Settings applet to cache release upgrades and content updates. When enabled and configured, the Broker retrieves from Cortex XSIAM the latest installers and content every 15 minutes and stores them for a 30-days retention period since an agent last asked for them. If the files were not available on the Broker VM at the time of the ask, the agent proceeds to download the files directly from the Cortex XSIAM server.
If you enable the Broker download option, proceed to select one or more available Broker VMs from the list. Cortex XSIAM enables you to select only Broker VMs that are connected and for which content caching is configured. For content caching to work properly, a FQDN and SSL Server Certificate must be configured. When you select multiple Broker VMs, the agent chooses randomly which Broker VM to use for each download request.
Cortex Server—To ensure your agents remain protected, the Cortex Server download source is always enabled to allow all Cortex XDR agents in your network to retrieve the content directly from the Cortex XSIAM server on their following heartbeat.
Note
Limitations in the content download process:
When you install the Cortex XDR agent, the agent retrieves the latest content update version available. A freshly installed agent can take between five to ten minutes (depending on your network and content update settings) to retrieve the content for the first time. During this time, your endpoint is not protected.
When you upgrade a Cortex XDR agent to a newer Cortex XDR agent version, if the new agent cannot use the content version running on the endpoint, then the new content update will start within one minute in P2P and within five minutes from Cortex XSIAM.
Enable Network Location Configuration for your Cortex XDR agents.
(Requires Cortex XDR agents 7.1 and later releases) If you configure host firewall rules in your network, you must enable Cortex XSIAM to determine the network location of your device, as follows:
A domain controller (DC) connectivity test— When Enabled, the DC test checks whether the device is connected to the internal network or not. If the device is connected to the internal network, it is in the organization. Otherwise, if the DC test failed or returned an external domain, Cortex XSIAM proceeds to a DNS connectivity test.
A DNS test—In the DNS test, the Cortex XDR agent submits a DNS name that is known only to the internal network. If the DNS returned the pre-configured internal IP, the device is within the organization. Otherwise, if the DNS IP cannot be resolved, the device is located elsewhere. Specify the IP Address and DNS Server Name for the test.
If the Cortex XDR agent detects a network change on the endpoint, the agent triggers the device location test and re-calculates the policy according to the new location.
(Supported for Linux only) For Agent Operation Mode, three modes of operation exist:
Kernel module-based operation, offering synchronous anti-malware protection, event collection from kernel level, and anti-lpe protection
User Space Agent: user mode agent, for agents running Linux kernel 5.0.0 or higher, offering synchronous anti-malware and event collection from kernel level
Neither of the above. When working in Kernel module-based operation running on an endpoint with an unsupported kernel, or installing with installation flag
--no-km
, or when working in User Space Agent mode on a Linux kernel older than 5.0.0, the agent will run in Asynchronous mode. In such cases, the anti-malware protection is asynchronous, and there is no event collection, no BTP, no EDR and no anti-lpe. This operation mode frequently shows "partially protected" endpoints. To avoid this, you can configure the profile to give preference to Kernel mode, but to switch to User Space Agent mode when the kernel module for an endpoint is not supported by a content update, and switch back when a the kernel module in use is supported in a newer content update.
Endpoints running the Cortex XDR agent in Kernel mode can now be configured to automatically fall back to User Space Agent mode when a content update does not contain a kernel module for the kernel used by an endpoint.
Configure the following:
Mode - Select either Kernel or User Space Agent. We recommend using Kernel mode.
Danger
User Space Agent mode requires Linux kernel 5.0.0 or higher.
When Kernel Mode is unavailable, use User Space Mode - Select either Enabled or Disabled.
When Kernel mode is used, to ensure continued full protection when a kernel version is not supported by a content update, select the Enabled option.
Note
User Space Agent mode requires Linux kernel 5.0.0 or higher. Endpoints running an older Linux kernel version with this fallback enabled, will not start using User Space Agent mode, and will operate asynchronously.
When a newer content update supports the endpoint's kernel module, fallback is canceled, and Kernel mode is automatically resumed.
Define your Agent Proxy Settings.
Select whether to Enable or Disable Direct Server Access for the agent when connected using a proxy.
(Supported for iOS only) Configure the following notifications that can be pushed to the iOS device.
App Notifications - Select whether to Disable or Enable app notifications to the device.
Jailbreak Detection - Select whether to Enable or Disable Jailbreak detection notification to the device.
Restart Recommendation - Select whether to Enable or Disable a reboot notification to the device. An option can be set for a reminder every number of days. Default 15 days.
Stationary device indicators—Select whether to Enable or Disable notifications for stationary iOS devices, such as iPads that are expected to remain in a fixed location. Options include significant location change, removal of power source, significant change of network, and low battery. In the case of low battery notifications, you can configure a threshold for the device's remaining charge level (10% - 90%). You can also configure the device to display a Stationary Device indication on its home screen.
(Linux only) Configure settings to automatically Revert Endpoint Isolation of an agent. When this feature is enabled, agent isolation will be cancelled when a connection with the managing server is lost for the defined continuous period of time.
Either keep the recommended default setting (Enabled), or change it by selecting Disabled in the Revert Isolation field.
Set a time unit (Hours or Days) and enter the number of hours or days. We recommend 24 hours (default).
(Linux only, for tenants paired with Prisma Cloud, optional) Configure periodic Active Vulnerability Analysis (AVA) scans. When AVA scans are enabled, you can configure them to run at set intervals on a monthly, weekly, or hourly basis. The default period is once every 24 hours.
To enable periodic scanning, for Advanced Vulnerability Scanning, select Enabled.
Configure the Periodic Scan time period: For the default setting, select 24 Hours. For other time frames, select Custom, and then configure the desired time frame.
Where relevant, select the start day and time for the periodic scans. If you select monthly scans, you can also configure a timeout period, in hours.
Define settings for collecting IT Metrics on the endpoint.
Select whether to enable or disable collection of IT metrics. When this option is set to Enabled, Cortex XSIAM collects IT data that provides visibility into IT performance on the Agent.
Agent Certificates (Windows and Mac only). For improved security, enforce the use of root CA that is provided by Palo Alto Networks rather than on the local machine.
Enabled - Enforcement is enabled. Note, If the Cortex XDR agent is initially unable to communicate without the local store, enforcement is not enabled and the agent will show as partially protected.
Disabled (Notify) - Enforcement is disabled. Agents with this policy will trigger a banner in the server to notify customers about potential risk and direct them to change the certificate and the setting. The column of the All Endpoints table is updated and management audit logs related to the local store fallback are received by the server.
Disabled - Enforcement is disabled. Agents with this policy will trigger a banner in the server to notify customers about potential risk and direct them to change the certificate and the setting. The column of the of the All Endpoints table is not updated and no management audit logs related to the local store fallback are received by the server
Create your profile to save the changes to your profile.
Apply Security Profiles to Endpoints.
You can do this in two ways: You can Create a new policy rule using this profile from the right-click menu or you can launch the new policy wizard from Policy Rules.