Use agent settings profiles to customize Cortex XDR agent settings for different platforms and groups of users.
Use agent settings profiles to customize Cortex XDR agent settings for different platforms and groups of users.
The tasks below are organized according to the operating systems used by your organization's endpoints.
Add a new profile and define basic settings.
Select → → → . Click +Add Profile, and select whether to create a new profile or import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the Windows platform, and Agent Settings as the profile type.
Click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.
For Disk Quota, configure the amount of disk space to allot for Cortex XDR agent logs. Specify a value in MB from 100 to 10,000 (default is 5,000).
Configure the User Interface options for Cortex XSIAM.
By default, Cortex XSIAM uses the settings specified in the default agent settings profile and displays the default configuration in parentheses. When you select a setting other than the default, you override the default configuration for the profile.
Item
Options
More details
Tray Icon
Visible (default)
Hidden
Choose whether you want the Cortex XDR agent icon to be Visible or Hidden in the notification area (system tray).
XDR Agent Console Access
Enabled
Disabled
When enabled, allows access to Cortex XSIAM.
XDR Agent User Notifications
Enabled
Disabled
Enable this option to operate display notifications in the notifications area on the endpoint. When you enable notifications, you can use the default notification messages that are displayed for each option, or provide custom text for each notification type. You can also customize a notification footer. Options include:
Live Terminal User Notifications: You can select to Request end-user permission to start the session. If the end user denies the request, you will not be able to initiate a Live Terminal session on the endpoint.
Live Terminal Active Session Indication: Enable this option to display a blinking light (
) on the tray icon for the duration of the remote session to indicate to the end user that a Live Terminal session is in progress.Persistent Isolation Notification
Endpoint Network Isolation Notification
Endpoint Network Un-Isolation Notification
Blocked Connectivity Notification
Exploit/Malware Events Set to Block
Restriction Events Set to Block
Restriction Events Set to Notify User
Notification Footer Text
USB Device Was Blocked
USB Disk Drive Was Allowed in Read-Only Mode
Note
You can enable the option to maintain a persistent notification regarding the disconnection of the endpoint from the network. The settings Persistent Isolation Notification and Blocked Connectivity Notification must be enabled. Until the threat on the endpoint has been removed, the endpoint remains disconnected from the network.
Customize Agent Security settings. By default, the Cortex XDR agent protects all agent components. However, you can configure protection with more granularity for Cortex XDR agent services, processes, files, registry values and tampering protection.
Note
In Traps 5.0.6 and later releases, when protection is enabled, access will be read-only. In earlier Traps releases, enabling protection disables all access to services, processes, files, and registry values.
Enable XDR Agent Tampering Protection.
Note
If you choose the Enable option, you must also enable XDR Agent Tampering Protection in the malware profile and set it to Block. Ensure that both profiles are assigned to the same endpoints.
You can customize the following options:
Item
Options
More details
Service Protection
Enabled
Disabled
Protects against stopping agent services. When this protection is enabled, agent services won't accept operating system stop requests.
Process Protection
Enabled
Disabled
Protects against attempts to tamper with agent processes; injecting into them, terminating them, reading, or writing into their virtual memory.
File Protection
Enabled
Disabled
Protects against attempts to tamper with agent files; deleting, replacing, renaming, moving, or writing files/directories.
Registry Protection
Enabled
Disabled
Protects against attempts to tamper with agent registry settings and agent policies, such as deleting, adding, and renaming registry keys or values which belong to the agent.
Pipe Protection
Enabled
Disabled
Protects against attempts to tamper with the agent's pipe-based inter-process communication (IPC) mechanism.
For Uninstall Password, configure an uninstall password.
Define and confirm an encrypted password that the user must specify to uninstall the Cortex XDR agent. The uninstall password, also known as the supervisor password, is also used to protect against tampering attempts using Cytool commands. The password must contain:
8 to 32 characters
At least one of each of the following:
Lower-case letter
Upper-case letter
Number
Special character: !@#%
Configure Windows Security Center Integration.
The Windows Security Center is a reporting tool that monitors the system health and security state of Windows endpoints on Windows 7 and later releases.
Note
When you enable Cortex XDR agent registration with the Windows Security Center, Windows automatically shuts down Microsoft Defender on Windows-based workstation endpoints. If you still want to allow Microsoft Defender to run on a workstation endpoint where Cortex XSIAM is installed, you must use the Disable option. However, Palo Alto Networks does not recommend running Windows Defender and the Cortex XDR agent on the same endpoint, because this might cause performance and incompatibility issues with Global Protect and other applications.
On Windows-based servers, ensure that Windows Defender is disabled. This can be done using a Group Policy Object (GPO) or another group management tool of your choice.
Item
Options
More details
Windows Security Integration
Enabled
The Cortex XDR agent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows automatically shuts down Microsoft Defender on the endpoint, except for endpoints that are running Windows Server versions.
To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from Windows Server-based endpoints where the Cortex XDR agent is installed.
Enabled No Patches
(Traps 5.0 release only) Select this option if you want to register the agent with the Windows Security Center, but prevent Windows from automatically installing Meltdown/Spectra vulnerability patches on the endpoint.
Disabled
The Cortex XDR agent does not register with the Windows Action Center. As a result, Windows Action Center might indicate that virus protection is off, depending on other security products that are installed on the endpoint.
Configure Alerts Data collection options.
When the Cortex XDR agent raises alerts on process-related activity on the endpoint, the agent collects the contents of memory and other data about the event, in what is known as an alert data dump file. You can configure the Cortex XDR agent to automatically upload alert data dump files to Cortex XSIAM.
Item
Options
More details
Alert Data Dump File Size
Small
Medium
Full
The Full option creates the largest and most complete set of information.
Automatically Upload Alert Data Dump File
Enabled
Disabled
During event investigation, if automatic upload was disabled, you can still manually retrieve this data.
Enable XDR Pro Endpoint Capabilities, and then configure the capabilities required by your organization. The Cortex XDR Pro features are hidden until you enable this option.
Notice
Requires a Cortex XDR Pro per Endpoint license. When you enable this feature, a Cortex XDR Pro per Endpoint license is consumed.
Item
Options
More details
Monitor and Collect Enhanced Endpoint Data
Enabled
Disabled
(Not supported in Traps 5.0.x)
By default, the Cortex XDR agent collects information about events that occur on the endpoint. If you enable Behavioral Threat Protection in a Malware security profile, the Cortex XDR agent also collects information about all active file, process, network, and registry activity on an endpoint. When you enable the Cortex XDR agent to monitor and collect enhanced endpoint data, Cortex XSIAM shares the detailed endpoint information with other Cortex apps. The information can help to provide the endpoint context when a security event occurs, so that you can gain insight into the overall event scope during an investigation. The event scope includes all activities that took place during an attack, the endpoints that were involved, and the damage caused. When disabled, the Cortex XDR agent will not share endpoint activity logs.
Enable Host Insights Capabilities
Enabled
Disabled
Notice
Requires Host Insights add-on.
Note
This is not supported in Traps 5.0.x.
When enabled, the various host insight capabilities can be configured.
Endpoint Information Collection
Enabled
Disabled
When enabled, the Cortex XDR agent collects host inventory information such as users, groups, services, drivers, hardware, and network shares, as well as information about applications installed on the endpoint, including CVE and installed KBs for Vulnerability Assessment.
File Search and Destroy Action Mode
Enabled
Disabled
(Not supported in Traps 5.0.x)
When enabled, the Cortex XDR agent collects detailed information about files on the endpoint to create a files inventory database. The agent locally monitors any actions performed on these files and updates the local files inventory database in real-time.
With this option you can also select the File Search and Destroy Monitored File Types where Cortex XSIAM monitors all the files on the endpoint, or only common file types. If you choose Common file types, Cortex XSIAM monitors the following file types:
bin, msi, doc, docx, docm, rtf, xls, xlsx, xlsm, pdf, ppt, pptx, pptm, ppsm, pps, ppsx, mpp, mppx, vsd, xsdxandwsf.A hash will also be computed for these file types:
zip, pe,andole.File size is limited to 30 MB by default. Searches of files larger than 30 MB by hash are not supported.
Additionally, you can exclude files that exist under a specific local path on the endpoint from inclusion in the files database.
Monitor and Collect Forensics Data
Enabled
Disabled
Notice
Requires Forensics Add-on.
Note
This is not supported in Traps 5.0.x.
When enabled, the Cortex XDR agent collects detailed information about what happened on your endpoint, to create a forensics database. Define the following to enable collection and collection time intervals for the following entity types:
Process Execution
File Access
Persistence
Command History
Network
Remote Access
Search Collections
Data collected by the agent is displayed on the tenant's Forensics page.
Distributed Network Scan
Enabled
Disabled
Note
To enable access to these options, scroll down to Network Location Configuration, and set Action Mode to Enabled.
(Not supported in Traps 5.0.x)
When enabled, the Cortex XDR agent scans your network using Ping or Nmap to provide updated identifiers of your unmanaged network assets. Ping scans return the IP address, MAC address, Hostname, and Platform, whereas Nmap will scan the most common ports for the IP address, Hostname, Platform, and OS version.
Ping is a lighter scan, that generates icmp requests to peers and does not use external tools. Nmap will make more noise on the network, but the resulting can be better, and also supports operating system detection.
Ping scans are performed in 30 minute intervals. Nmap scans are performed in 60 minute intervals.
The scan is performed according to the subnets detected in each network interface found on the endpoint, and up to a maximum of ~1K IP addresses calculated according to agent_ip/22. For example, an agent with the IP address 121.121.121.121 will be assigned the scan range: 121.121.120.1 - 121.121.123.254 (1024 addresses). Each agent is assigned scan ranges randomly from all the scannable subnets, so the same agent can scan multiple subnets.
The following criteria affect the scan:
There must be at least two endpoints detected in order to assign a scan.
Network Location Configuration must be enabled.
Subnet masking settings and service name configurations influence the scan.
Excluded IP address ranges are not scanned.
In the Network Location Configuration section, set the Action Mode to Enabled.
In the Distributed Network Scan section, set the Action Mode to Enabled.
In Scan Mode, select Nmap or Ping.
Note
When using Nmap, the Cortex XDR agent downloads an Nmap driver for the duration of the scan and removes the driver upon completion. If an Nmap scan is in process, Cortex XSIAM identifies the Nmap driver and places any additional scans in a queue.
The scan is performed according to the subnets detected in each network interface found on the endpoint.
If you want to exclude IP address ranges, select Excluded IP Address Ranges. The IP address ranges are populated from your network configurations.
If you selected Nmap, enable or disable OS Fingerprinting of the IP address.
Depending on the type of scan you defined, the agent Ping scan takes 30 minutes, and Nmap takes 60 minutes. Following each scan, Cortex XDR aggregates the IP addresses that were collected, and displays the results in the Asset Management table.
Configure XDR Cloud for hosts running on cloud platforms. By default (auto-detect mode), the agent detects whether an endpoint is a cloud-based (container) installation or a permanent installation, and uses license allocation accordingly.
Item
Options
More details
XDR Cloud
Auto-detect
Enabled
If you set this to Enabled in the profile, any agent using this profile will be treated as if it is a cloud-based agent for licensing purposes.
Configure Response Actions for specific applications or processes, using an Allow list.
If you need to isolate an endpoint, but want to allow access for a specific application or process, add it to the Network Isolation Allow List. Keep the following considerations in mind:
When you add a specific application to your allow list from network isolation, the Cortex XDR agent continues to block some internal system processes. This is because some applications, for example, ping.exe, can use other processes to facilitate network communication. As a result, if the Cortex XDR agent continues to block an application you included in your allow list, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then add that process to the allow list.
For VDI sessions, use of the network isolation response action can disrupt communication with the VDI host management system, thereby stopping access to the VDI session. Therefore, before using the response action, you must add the VDI processes and corresponding IP addresses to your allow list.
Click Add to add an entry to the allow list.
Specify the Process Path that you want to allow, and the IPv4 or IPv6 address of the endpoint. Use the
*wildcard on either side to match any process or IP address. For example, specify*as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify*as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.Click the check mark.
Configure Backup Management to backup endpoint data.
Item
Options
More details
Shadowcopy Activation
Enabled
Disabled
When enabled, the Cortex XDR agent automatically turns on the system protection of the endpoint. This ensures that the data is backed up and may be recovered in cases of any security breaches or loss of data.
Disk Space Limitation
Disk space in MB
Limits the amount of disk space in MB that can be used for endpoint data backup.
Configure the method used to update content on your endpoints.
(Not supported in Traps 5.0.x)
Warning
If you disable or delay automatic-content updates provided by Palo Alto Networks, it may affect the security level in your organization.
Note
If you disable content updates for a newly installed agent, the agent retrieves the content for the first time from Cortex XSIAM, and then disables content updates on the endpoint.
When you add a Cortex XDR agent to an endpoint group with a disabled content auto-upgrades policy, the policy is applied to the added agent as well.
Item
Options
More details
Content Auto-update
Enabled
Disabled
By default, the Cortex XDR agent always retrieves the most updated content and deploys it on the endpoint, to ensure that it is always protected with the latest security measures.
If you disable content updates, the agent stops retrieving them from the Cortex XSIAM tenant, and keeps working with the current content on the endpoint.
Content Rollout
Immediately
Delayed
The Cortex XDR agent can retrieve content updates immediately as they are available, or after a pre-configured delay period. When you delay content updates, the Cortex XDR agent will retrieve the content according to the configured delay. For example, if you configure a delay period of two days, the agent will not use any content released in the last 48 hours.
Enable automatic Cortex XDR agent upgrades, to ensure that your endpoints are always up-to-date with the latest release. You can also configure your system to choose one release before the latest available release.
Note
Automatic upgrades are not supported with non-persistent VDI and temporary sessions.
Item
Options
More details
Agent Auto-Upgrade
Enabled
Disabled
Automatic Upgrade Scope
Latest agent release
One release before the latest one
Only maintenance releases
Only maintenance releases in a specific version
For One release before the latest one, Cortex XSIAM upgrades the agent to the previous release before the latest, including maintenance releases. Major releases are numbered X.X, such as release 8.0, or 8.2. Maintenance releases are numbered X.X.X, such as release 8.2.2.
For Only maintenance releases in a specific version, select the required release version.
Upgrade Rollout
Immediate
Delayed
For Delayed, set the delay period (number of days) to wait after the version release before upgrading endpoints. Choose a value between 7 and 45.
To control the agent auto upgrade scheduler and number of parallel upgrades in your network, configure Global Agent Settings.
Specify a Download Source, or multiple sources, from which Cortex XDR agent retrieves agent and content updates. The options provided help you to reduce external network bandwidth loads during updates. When all sources are selected, the download sources are prioritized in the following order: P2P > Broker VM > Cortex XSIAM Server.
To ensure your agents remain protected, the Cortex Server download source is always enabled to allow all Cortex XDR agents in your network to retrieve the content directly from the Cortex XSIAM server on their following heartbeat.
Note
Limitations in the content download process:
When you install the Cortex XDR agent, the agent retrieves the latest content update version available. A freshly installed agent can take between five to ten minutes (depending on your network and content update settings) to retrieve the content for the first time. During this time, your endpoint is not protected.
When you upgrade a Cortex XDR agent to a newer Cortex XDR agent version, if the new agent cannot use the content version running on the endpoint, the new content update will start within one minute in P2P, and within five minutes from Cortex XSIAM.
Item
Options
More details
Select all
Selected
Clear
When selected, all download source options are enabled.
P2P
33221 (default port)
custom port
Cortex XSIAM deploys serverless peer-to-peer distribution to Cortex XDR agents in your LAN network by default. Within the six hour randomization window during which the Cortex XDR agent attempts to retrieve the new version, it will broadcast its peer agents on the same subnet twice: once within the first hour, and once again during the following five hours. If the agent did not retrieve the files from other agents in both queries, it will proceed to the next download source defined in your profile.
To enable P2P, you must enable UDP and TCP over the port specified for P2P Port. By default, Cortex XSIAM uses port 33221. You can change the port number, if required by your organization.
Broker VM
Select all
Brokers
Clusters
(only Broker VMs that are connected and configured for caching can be selected)
(Requires Broker VM 12.0 and later)
If you have a Palo Alto Networks Broker VM in your network, you can leverage the Local Agent Settings applet to cache release upgrades and content updates. When the Broker VM is enabled and configured appropriately (refer to Activate the Local Agent Settings) , it retrieves the latest installers and content every 15 minutes. The Broker VM stores them for a 30-day retention period since an agent last asked for them.
If the files are not available on the Broker VM at the time of the request, the agent proceeds to download the files directly from the Cortex XSIAM server.
When you select multiple Broker VMs, the agent chooses a Broker VM randomly for each download request.
Configure Network Location Configuration for your Cortex XDR agents. If you configure host firewall rules in your network, you must:
Enable Network Location Configuration Action Mode, so that Cortex XSIAM can test the network location of your device.
Configure your network's DNS name and its internal IP address.
If the Cortex XDR agent detects a network change on the endpoint, the agent triggers the device location test and re-calculates the policy according to the new location.
Item
Options
More details
Action Mode
Enabled
Disabled
When Enabled, a domain controller (DC) test checks whether the device is connected to the internal network or not. If the device is connected to the internal network, it is determined to be in the organization. If the DC test fails or returns an external domain, Cortex XSIAM performs a DNS connectivity test.
DNS Name
Your network's DNS name
The Cortex XDR agent tests network location by submitting a Domain Name Server (DNS) name that is known only to the internal network. If the DNS returns the pre-configured internal IP address, the device is determined to be within the organization. If the DNS IP address cannot be resolved, the device is deemed to be located elsewhere.
IP Address
Your network's DNS internal IP address
Enter the internal DNS IP address to be used by the DNS test.
Define Agent Proxy Settings.
Select whether to Enable or Disable Direct Server Access for the agent when connected using a proxy.
Configure Agent Certificates. For improved security, enforce the use of root CA that is provided by Palo Alto Networks rather than on the local machine.
Item
Options
More details
Certificate Enforcement
Enabled
Disabled
Disabled (Notify)
When enabled, certificate enforcement is enabled.
Note
If the Cortex XDR agent is initially unable to communicate without the local store, enforcement is not enabled and the agent will show as partially protected.
When set to Disabled (Notify), Cortex XDR agents with this policy will trigger a banner in the server to notify customers about potential risk, and will direct them to change the certificate and the setting. The Last Certificate Enforcement Fallback column of the All Endpoints table is updated, and management audit logs related to the local store fallback are received by the server.
When set to Disabled, Cortex XDR agents with this policy will trigger a banner in the server to notify customers about potential risk, and will direct them to change the certificate and the setting. The Last Certificate Enforcement Fallback column of the All Endpoints table is not updated, and no management audit logs related to the local store fallback are received by the server.
Configure IT Metrics, to define setting for collecting IT metrics on the endpoint.
Item
Options
More details
Collect IT Data
Enabled
Disabled
When enabled, the Cortex XDR agent collects IT data that provides visibility into IT performance on the agent.
To save the profile, click Create.
Add a new profile and define basic settings.
Select → → → . Click +Add Profile, and select whether to create a new profile or import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the macOS platform, and Agent Settings as the profile type.
Click Next.
Enter a unique Profile Name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.
For Disk Quota, configure the amount of disk space to allot for Cortex XDR agent logs. Specify a value in MB from 100 to 10,000 (default is 5,000).
Configure the User Interface options for Cortex XSIAM.
By default, Cortex XSIAM uses the settings specified in the default agent settings profile and displays the default configuration in parentheses. When you select a setting other than the default, you override the default configuration for the profile.
Item
Options
More details
Tray Icon
Visible (default)
Hidden
Choose whether you want the Cortex XDR agent icon to be Visible or Hidden in the notification area (system tray).
XDR Agent Console Access
Enabled
Disabled
When enabled, allows access to Cortex XSIAM.
XDR Agent User Notifications
Enabled
Disabled
Enable this option to operate display notifications in the notifications area on the endpoint. When you enable notifications, you can use the default notification messages that are displayed for each option, or provide custom text for each notification type. You can also customize a notification footer. Options include:
Live Terminal User Notifications: You can select to Request end-user permission to start the session. If the end user denies the request, you will not be able to initiate a Live Terminal session on the endpoint.
You can select to Request end-user permission to start the session. If the end user denies the request, you will not be able to initiate a Live Terminal session on the endpoint.
Live Terminal Active Session Indication: Enable this option to display a blinking light (
) on the status bar for the duration of the remote session to indicate to the end user that a Live Terminal session is in progress.Persistent Isolation Notification
Endpoint Network Isolation Notification
Endpoint Network Un-Isolation Notification
Blocked Connectivity Notification
Exploit/Malware Events Set to Block
Restriction Events Set to Block
Restriction Events Set to Notify User
Notification Footer Text
USB Device Was Blocked
USB Disk Drive Was Allowed in Read-Only Mode
Note
You can enable the option to maintain a persistent notification regarding the disconnection of the endpoint from the network. The settings Persistent Isolation Notification and Blocked Connectivity Notification must be enabled. Until the threat on the endpoint has been removed, the endpoint remains disconnected from the network.
For Agent Security, configure XDR Agent Tampering Protection (default is Enabled). By default, the Cortex XDR agent protects all agent components.
Note
If you choose the Enabled option, you must also set Anti Tampering Protection in the malware security profile to Block, and ensure that both profiles are assigned to the same endpoints.
Note
In Traps 5.0.6 and later releases, when protection is enabled, access will be read-only. In earlier Traps releases, enabling protection disables all access to services, processes, files, and registry values.
For Uninstall Password, configure an uninstall password.
Define and confirm an encrypted password that the user must specify to uninstall the Cortex XDR agent. The uninstall password, also known as the supervisor password, is also used to protect against tampering attempts via Cytool commands. The password must contain:
8 to 32 characters
At least one of each of the following:
Lower-case letter
Upper-case letter
Number
Special character: !@#%
Configure Alerts Data collection options.
When the Cortex XDR agent raises alerts on process-related activity on the endpoint, the agent collects the contents of memory and other data about the event, in what is known as an alert data dump file. You can configure the Cortex XDR agent to automatically upload alert data dump files to Cortex XSIAM.
Item
Options
More details
Alert Data Dump File Size
Small
Medium
Full
The Full option creates the largest and most complete set of information.
Automatically Upload Alert Data Dump File
Enabled
Disabled
During event investigation, if automatic upload was disabled, you can still manually retrieve this data.
Notice
Requires a Cortex XDR Pro per Endpoint license. When you enable this feature, a Cortex XDR Pro per Endpoint license is consumed.
Enable XDR Pro Endpoint Capabilities, and then configure the capabilities required by your organization. The Cortex XDR Pro features are hidden until you enable this option.
Item
Options
More details
Monitor and Collect Enhanced Endpoint Data
Enabled
Disabled
(Not supported in Traps 5.0.x)
By default, the Cortex XDR agent collects information about events that occur on the endpoint. If you enable Behavioral Threat Protection in a Malware security profile, the Cortex XDR agent also collects information about all active file, process, network, and registry activity on an endpoint. When you enable the Cortex XDR agent to monitor and collect enhanced endpoint data, Cortex XSIAM shares the detailed endpoint information with other Cortex apps. The information can help to provide the endpoint context when a security event occurs, so that you can gain insight into the overall event scope during an investigation. The event scope includes all activities that took place during an attack, the endpoints that were involved, and the damage caused. When disabled, the Cortex XDR agent will not share endpoint activity logs.
Enable Host Insights Capabilities
Enabled
Disabled
Notice
Requires Host Insights add-on.
Note
This option is not supported in Traps 5.0.x.
When enabled, the various host insight capabilities can be configured.
Endpoint Information Collection
Enabled
Disabled
When enabled, the Cortex XDR agent collects Host Inventory information such as users, groups, services, drivers, hardware, and network shares, as well as information about applications installed on the endpoint, including CVE and installed KBs for Vulnerability Assessment.
File Search and Destroy Action Mode
Enabled
Disabled
(Not supported in Traps 5.0.x)
When enabled, the Cortex XDR agent collects detailed information about files on the endpoint to create a files inventory database. The agent locally monitors any actions performed on these files and updates the local files inventory database in real-time.
With this option you can also select the File Search and Destroy Monitored File Types where Cortex XSIAM monitors all the files on the endpoint, or only common file types. If you choose Common file types, Cortex XSIAM monitors the following file types:
acm, apk, ax, bat, bin, bundle, csv, dll, dmg, doc, docm, docx, dylib, efi, hta, jar, js, jse, jsf, lua, mpp, mppx, mui, o, ocx, pdf, pkg, pl, plx, pps, ppsm, ppsx, ppt, pptm, pptx, py, pyc, pyo, rb, rtf, scr, sh, vds, vsd, wsf, xls, xlsm, xlsx, xsdx,andzip.Additionally, you can exclude files that exist under a specific local path on the endpoint from inclusion in the files database.
Monitor and Collect Forensics Data
Enabled
Disabled
Notice
Requires Forensics Add-on.
Note
This is not supported in Traps 5.0.x.
When enabled, the Cortex XDR agent collects detailed information about what happened on your endpoint, to create a forensics database. Define the following to enable collection and collection time intervals for the following entity types:
Process Execution
File Access
Persistence
Command History
Network
Search Collections
Data collected by the agent is displayed on the tenant's Forensics page.
Configure XDR Cloud for hosts running on cloud platforms. By default (auto-detect mode), the agent detects whether an endpoint is a cloud-based (container) installation or a permanent installation, and uses license allocation accordingly.
Item
Options
More details
XDR Cloud
Auto-detect
Enabled
If you set this to Enabled in the profile, any agent using this profile will be treated as if it is a cloud-based agent for licensing purposes.
Configure Response Actions for specific applications or processes, using an Allow list.
If you need to isolate an endpoint, but want to allow access for a specific application or process, add it to the Network Isolation Allow List. Keep the following considerations in mind:
When you add a specific application to your allow list from network isolation, the Cortex XDR agent continues to block some internal system processes. This is because some applications, for example, ping.exe, can use other processes to facilitate network communication. As a result, if the Cortex XDR agent continues to block an application you included in your allow list, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then add that process to the allow list.
Click Add to add an entry to the allow list.
Specify the Process Path that you want to allow, and the IPv4 or IPv6 address of the endpoint. Use the
*wildcard on either side to match any process or IP address. For example, specify*as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify*as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.Click the check mark.
Configure the method used to update content on your endpoints.
(Not supported in Traps 5.0.x)
Warning
If you disable or delay automatic-content updates provided by Palo Alto Networks, it may affect the security level in your organization.
Note
If you disable content updates for a newly installed agent, the agent retrieves the content for the first time from Cortex XSIAM, and then disables content updates on the endpoint.
When you add a Cortex XDR agent to an endpoint group with a disabled content auto-upgrades policy, the policy is applied to the added agent as well.
Item
Options
More details
Content Auto-update
Enabled
Disabled
By default, the Cortex XDR agent always retrieves the most updated content and deploys it on the endpoint, to ensure that it is always protected with the latest security measures.
If you disable content updates, the agent stops retrieving them from the Cortex XSIAM tenant, and keeps working with the current content on the endpoint.
Content Rollout
Immediately
Delayed
The Cortex XDR agent can retrieve content updates immediately as they are available, or after a pre-configured delay period. When you delay content updates, the Cortex XDR agent will retrieve the content according to the configured delay. For example, if you configure a delay period of two days, the agent will not use any content released in the last 48 hours.
Enable automatic Cortex XDR agent upgrades, to ensure that your endpoints are always up-to-date with the latest release. You can also configure your system to choose one release before the latest available release.
Note
Automatic upgrades are not supported with non-persistent VDI and temporary sessions.
Item
Options
More details
Agent Auto-Upgrade
Enabled
Disabled
Automatic Upgrade Scope
Latest agent release
One release before the latest one
Only maintenance releases
Only maintenance releases in a specific version
For One release before the latest one, Cortex XSIAM upgrades the agent to the previous release before the latest, including maintenance releases. Major releases are numbered X.X, such as release 8.0, or 8.2. Maintenance releases are numbered X.X.X, such as release 8.2.2.
For Only maintenance releases in a specific version, select the required release version.
Upgrade Rollout
Immediate
Delayed
For Delayed, set the delay period (number of days) to wait after the version release before upgrading endpoints. Choose a value between 7 and 45.
To control the agent auto upgrade scheduler and number of parallel upgrades in your network, configure Global Agent Settings.
Configure Backup Management.
Item
Options
More details
Time Machine Activation
Enabled
Disabled
When enabled, this option automatically turns on the Time Machine setting of the endpoint. This ensures that the data is backed up and may be recovered in cases of any security breaches or loss of data.
Specify a Download Source, or multiple sources, from which Cortex XDR agent retrieves agent and content updates. The options provided help you to reduce external network bandwidth loads during updates. When all sources are selected, the download sources are prioritized in the following order: P2P > Broker VM > Cortex XSIAM Server.
To ensure your agents remain protected, the Cortex Server download source is always enabled to allow all Cortex XDR agents in your network to retrieve the content directly from the Cortex XSIAM server on their following heartbeat.
Note
Limitations in the content download process:
When you install the Cortex XDR agent, the agent retrieves the latest content update version available. A freshly installed agent can take between five to ten minutes (depending on your network and content update settings) to retrieve the content for the first time. During this time, your endpoint is not protected.
When you upgrade a Cortex XDR agent to a newer Cortex XDR agent version, if the new agent cannot use the content version running on the endpoint, the new content update will start within one minute in P2P, and within five minutes from Cortex XSIAM.
Item
Options
More details
Select all
Selected
Clear
When selected, all download source options are enabled.
P2P
33221 (default port)
custom port
Cortex XSIAM deploys serverless peer-to-peer distribution to Cortex XDR agents in your LAN network by default. Within the six hour randomization window during which the Cortex XDR agent attempts to retrieve the new version, it will broadcast its peer agents on the same subnet twice: once within the first hour, and once again during the following five hours. If the agent did not retrieve the files from other agents in both queries, it will proceed to the next download source defined in your profile.
To enable P2P, you must enable UDP and TCP over the port specified for P2P Port. By default, Cortex XSIAM uses port 33221. You can change the port number, if required by your organization.
Broker VM
Select all
Brokers
Clusters
(only Broker VMs that are connected and configured for caching can be selected)
(Requires Broker VM 12.0 and later)
If you have a Palo Alto Networks Broker VM in your network, you can leverage the Local Agent Settings applet to cache release upgrades and content updates. When the Broker VM is enabled and configured appropriately (refer to Activate the Local Agent Settings) , it retrieves the latest installers and content every 15 minutes. The Broker VM stores them for a 30-day retention period since an agent last asked for them.
If the files are not available on the Broker VM at the time of the request, the agent proceeds to download the files directly from the Cortex XSIAM server.
When you select multiple Broker VMs, the agent chooses a Broker VM randomly for each download request.
Configure Network Location Configuration for your Cortex XDR agents. If you configure host firewall rules in your network, you must:
Enable Network Location Configuration Action Mode, so that Cortex XSIAM can test the network location of your device.
Configure your network's DNS name and its internal IP address.
If the Cortex XDR agent detects a network change on the endpoint, the agent triggers the device location test and re-calculates the policy according to the new location.
Item
Options
More details
Action Mode
Enabled
Disabled
When Enabled, a domain controller (DC) test checks whether the device is connected to the internal network or not. If the device is connected to the internal network, it is determined to be in the organization. If the DC test fails or returns an external domain, Cortex XSIAM performs a DNS connectivity test.
DNS Name
Your network's DNS name
The Cortex XDR agent tests network location by submitting a Domain Name Server (DNS) name that is known only to the internal network. If the DNS returns the pre-configured internal IP address, the device is determined to be within the organization. If the DNS IP address cannot be resolved, the device is deemed to be located elsewhere.
IP Address
Your network's DNS internal IP address
Enter the internal DNS IP address to be used by the DNS test.
Define Agent Proxy Settings.
Select whether to Enable or Disable Direct Server Access for the agent when connected using a proxy.
Configure Agent Certificates. For improved security, enforce the use of root CA that is provided by Palo Alto Networks rather than on the local machine.
Item
Options
More details
Certificate Enforcement
Enabled
Disabled
Disabled (Notify)
When enabled, certificate enforcement is enabled.
Note
If the Cortex XDR agent is initially unable to communicate without the local store, enforcement is not enabled and the agent will show as partially protected.
When set to Disabled (Notify), Cortex XDR agents with this policy will trigger a banner in the server to notify customers about potential risk, and will direct them to change the certificate and the setting. The Last Certificate Enforcement Fallback column of the All Endpoints table is updated, and management audit logs related to the local store fallback are received by the server.
When set to Disabled, Cortex XDR agents with this policy will trigger a banner in the server to notify customers about potential risk, and will direct them to change the certificate and the setting. The Last Certificate Enforcement Fallback column of the All Endpoints table is not updated, and no management audit logs related to the local store fallback are received by the server.
To save the profile, click Create.