Set up agent settings profiles - Administrator Guide - Cortex XSIAM - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-22
Category
Administrator Guide
Abstract

Use agent settings profiles to customize Cortex XDR agent settings for different platforms and groups of users.

Use agent settings profiles to customize Cortex XDR agent settings for different platforms and groups of users.

The tasks below are organized according to the operating systems used by your organization's endpoints.

  1. Add a new profile and define basic settings.

    1. Select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.

      Note

      New profiles based on imported profiles are added, and do not replace existing ones.

    2. Select the Windows platform, and Agent Settings as the profile type.

    3. Click Next.

    4. For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.

  2. For Disk Quota, configure the amount of disk space to allot for Cortex XDR agent logs. Specify a value in MB from 100 to 10,000 (default is 5,000).

  3. Configure the User Interface options for Cortex XSIAM.

    By default, Cortex XSIAM uses the settings specified in the default agent settings profile and displays the default configuration in parentheses. When you select a setting other than the default, you override the default configuration for the profile.

    Item

    Options

    More details

    Tray Icon

    • Visible (default)

    • Hidden

    Choose whether you want the Cortex XDR agent icon to be Visible or Hidden in the notification area (system tray).

    XDR Agent Console Access

    • Enabled

    • Disabled

    When enabled, allows access to Cortex XSIAM.

    XDR Agent User Notifications

    • Enabled

    • Disabled

    Enable this option to operate display notifications in the notifications area on the endpoint. When you enable notifications, you can use the default notification messages that are displayed for each option, or provide custom text for each notification type. You can also customize a notification footer. Options include:

    • Live Terminal User Notifications: You can select to Request end-user permission to start the session. If the end user denies the request, you will not be able to initiate a Live Terminal session on the endpoint.

    • Live Terminal Active Session Indication: Enable this option to display a blinking light (live-terminal-indication.png) on the tray icon for the duration of the remote session to indicate to the end user that a Live Terminal session is in progress.

    • Persistent Isolation Notification

    • Endpoint Network Isolation Notification

    • Endpoint Network Un-Isolation Notification

    • Blocked Connectivity Notification

    • Exploit/Malware Events Set to Block

    • Restriction Events Set to Block

    • Restriction Events Set to Notify User

    • Notification Footer Text

    • USB Device Was Blocked

    • USB Disk Drive Was Allowed in Read-Only Mode

    Note

    You can enable the option to maintain a persistent notification regarding the disconnection of the endpoint from the network. The settings Persistent Isolation Notification and Blocked Connectivity Notification must be enabled. Until the threat on the endpoint has been removed, the endpoint remains disconnected from the network.

  4. Customize Agent Security settings. By default, the Cortex XDR agent protects all agent components. However, you can configure protection with more granularity for Cortex XDR agent services, processes, files, registry values and tampering protection.

    Note

    In Traps 5.0.6 and later releases, when protection is enabled, access will be read-only. In earlier Traps releases, enabling protection disables all access to services, processes, files, and registry values.

    1. Enable XDR Agent Tampering Protection.

      Note

      If you choose the Enable option, you must also enable XDR Agent Tampering Protection in the malware profile and set it to Block. Ensure that both profiles are assigned to the same endpoints.

    2. You can customize the following options:

    Item

    Options

    More details

    Service Protection

    • Enabled

    • Disabled

    Protects against stopping agent services. When this protection is enabled, agent services won't accept operating system stop requests.

    Process Protection

    • Enabled

    • Disabled

    Protects against attempts to tamper with agent processes; injecting into them, terminating them, reading, or writing into their virtual memory.

    File Protection

    • Enabled

    • Disabled

    Protects against attempts to tamper with agent files; deleting, replacing, renaming, moving, or writing files/directories.

    Registry Protection

    • Enabled

    • Disabled

    Protects against attempts to tamper with agent registry settings and agent policies, such as deleting, adding, and renaming registry keys or values which belong to the agent.

    Pipe Protection

    • Enabled

    • Disabled

    Protects against attempts to tamper with the agent's pipe-based inter-process communication (IPC) mechanism.

  5. For Uninstall Password, configure an uninstall password.

    Define and confirm an encrypted password that the user must specify to uninstall the Cortex XDR agent. The uninstall password, also known as the supervisor password, is also used to protect against tampering attempts using Cytool commands. The password must contain:

    • 8 to 32 characters

    • At least one of each of the following:

      • Lower-case letter

      • Upper-case letter

      • Number

      • Special character: !@#%

  6. Configure Windows Security Center Integration.

    The Windows Security Center is a reporting tool that monitors the system health and security state of Windows endpoints on Windows 7 and later releases.

    Note

    When you enable Cortex XDR agent registration with the Windows Security Center, Windows automatically shuts down Microsoft Defender on Windows-based workstation endpoints. If you still want to allow Microsoft Defender to run on a workstation endpoint where Cortex XSIAM is installed, you must use the Disable option. However, Palo Alto Networks does not recommend running Windows Defender and the Cortex XDR agent on the same endpoint, because this might cause performance and incompatibility issues with Global Protect and other applications.

    On Windows-based servers, ensure that Windows Defender is disabled. This can be done using a Group Policy Object (GPO) or another group management tool of your choice.

    Item

    Options

    More details

    Windows Security Integration

    Enabled

    The Cortex XDR agent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows automatically shuts down Microsoft Defender on the endpoint, except for endpoints that are running Windows Server versions.

    To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from Windows Server-based endpoints where the Cortex XDR agent is installed.

    Enabled No Patches

    (Traps 5.0 release only) Select this option if you want to register the agent with the Windows Security Center, but prevent Windows from automatically installing Meltdown/Spectra vulnerability patches on the endpoint.

    Disabled

    The Cortex XDR agent does not register with the Windows Action Center. As a result, Windows Action Center might indicate that virus protection is off, depending on other security products that are installed on the endpoint.

  7. Configure Alerts Data collection options.

    When the Cortex XDR agent raises alerts on process-related activity on the endpoint, the agent collects the contents of memory and other data about the event, in what is known as an alert data dump file. You can configure the Cortex XDR agent to automatically upload alert data dump files to Cortex XSIAM.

    Item

    Options

    More details

    Alert Data Dump File Size

    • Small

    • Medium

    • Full

    The Full option creates the largest and most complete set of information.

    Automatically Upload Alert Data Dump File

    • Enabled

    • Disabled

    During event investigation, if automatic upload was disabled, you can still manually retrieve this data.

  8. Enable XDR Pro Endpoint Capabilities, and then configure the capabilities required by your organization. The Cortex XDR Pro features are hidden until you enable this option.

    Notice

    Requires a Cortex XDR Pro per Endpoint license. When you enable this feature, a Cortex XDR Pro per Endpoint license is consumed.

    Item

    Options

    More details

    Monitor and Collect Enhanced Endpoint Data

    • Enabled

    • Disabled

    (Not supported in Traps 5.0.x)

    By default, the Cortex XDR agent collects information about events that occur on the endpoint. If you enable Behavioral Threat Protection in a Malware security profile, the Cortex XDR agent also collects information about all active file, process, network, and registry activity on an endpoint. When you enable the Cortex XDR agent to monitor and collect enhanced endpoint data, Cortex XSIAM shares the detailed endpoint information with other Cortex apps. The information can help to provide the endpoint context when a security event occurs, so that you can gain insight into the overall event scope during an investigation. The event scope includes all activities that took place during an attack, the endpoints that were involved, and the damage caused. When disabled, the Cortex XDR agent will not share endpoint activity logs.

    Enable Host Insights Capabilities

    • Enabled

    • Disabled

    Notice

    Requires Host Insights add-on.

    Note

    This is not supported in Traps 5.0.x.

    When enabled, the various host insight capabilities can be configured.

    Endpoint Information Collection

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent collects host inventory information such as users, groups, services, drivers, hardware, and network shares, as well as information about applications installed on the endpoint, including CVE and installed KBs for Vulnerability Assessment.

    File Search and Destroy Action Mode

    • Enabled

    • Disabled

    (Not supported in Traps 5.0.x)

    When enabled, the Cortex XDR agent collects detailed information about files on the endpoint to create a files inventory database. The agent locally monitors any actions performed on these files and updates the local files inventory database in real-time.

    With this option you can also select the File Search and Destroy Monitored File Types where Cortex XSIAM monitors all the files on the endpoint, or only common file types. If you choose Common file types, Cortex XSIAM monitors the following file types:

    bin, msi, doc, docx, docm, rtf, xls, xlsx, xlsm, pdf, ppt, pptx, pptm, ppsm, pps, ppsx, mpp, mppx, vsd, xsdx and wsf.

    A hash will also be computed for these file types: zip, pe, and ole.

    File size is limited to 30 MB by default. Searches of files larger than 30 MB by hash are not supported.

    Additionally, you can exclude files that exist under a specific local path on the endpoint from inclusion in the files database.

    Monitor and Collect Forensics Data

    • Enabled

    • Disabled

    Notice

    Requires Forensics Add-on.

    Note

    This is not supported in Traps 5.0.x.

    When enabled, the Cortex XDR agent collects detailed information about what happened on your endpoint, to create a forensics database. Define the following to enable collection and collection time intervals for the following entity types:

    • Process Execution

    • File Access

    • Persistence

    • Command History

    • Network

    • Remote Access

    • Search Collections

    Data collected by the agent is displayed on the tenant's Forensics page.

    Distributed Network Scan

    • Enabled

    • Disabled

    Note

    To enable access to these options, scroll down to Network Location Configuration, and set Action Mode to Enabled.

    (Not supported in Traps 5.0.x)

    When enabled, the Cortex XDR agent scans your network using Ping or Nmap to provide updated identifiers of your unmanaged network assets. Ping scans return the IP address, MAC address, Hostname, and Platform, whereas Nmap will scan the most common ports for the IP address, Hostname, Platform, and OS version.

    Ping is a lighter scan, that generates icmp requests to peers and does not use external tools. Nmap will make more noise on the network, but the resulting can be better, and also supports operating system detection.

    Ping scans are performed in 30 minute intervals. Nmap scans are performed in 60 minute intervals.

    The scan is performed according to the subnets detected in each network interface found on the endpoint, and up to a maximum of ~1K IP addresses calculated according to agent_ip/22. For example, an agent with the IP address 121.121.121.121 will be assigned the scan range: 121.121.120.1 - 121.121.123.254 (1024 addresses). Each agent is assigned scan ranges randomly from all the scannable subnets, so the same agent can scan multiple subnets.

    The following criteria affect the scan:

    • There must be at least two endpoints detected in order to assign a scan.

    • Network Location Configuration must be enabled.

    • Subnet masking settings and service name configurations influence the scan.

    • Excluded IP address ranges are not scanned.

    1. In the Network Location Configuration section, set the Action Mode to Enabled.

    2. In the Distributed Network Scan section, set the Action Mode to Enabled.

    3. In Scan Mode, select Nmap or Ping.

      Note

      When using Nmap, the Cortex XDR agent downloads an Nmap driver for the duration of the scan and removes the driver upon completion. If an Nmap scan is in process, Cortex XSIAM identifies the Nmap driver and places any additional scans in a queue.

      The scan is performed according to the subnets detected in each network interface found on the endpoint.

    4. If you want to exclude IP address ranges, select Excluded IP Address Ranges. The IP address ranges are populated from your network configurations.

    5. If you selected Nmap, enable or disable OS Fingerprinting of the IP address.

    Depending on the type of scan you defined, the agent Ping scan takes 30 minutes, and Nmap takes 60 minutes. Following each scan, Cortex XDR aggregates the IP addresses that were collected, and displays the results in the Asset Management table.

  9. Configure XDR Cloud for hosts running on cloud platforms. By default (auto-detect mode), the agent detects whether an endpoint is a cloud-based (container) installation or a permanent installation, and uses license allocation accordingly.

    Item

    Options

    More details

    XDR Cloud

    • Auto-detect

    • Enabled

    If you set this to Enabled in the profile, any agent using this profile will be treated as if it is a cloud-based agent for licensing purposes.

  10. Configure Response Actions for specific applications or processes, using an Allow list.

    If you need to isolate an endpoint, but want to allow access for a specific application or process, add it to the Network Isolation Allow List. Keep the following considerations in mind:

    • When you add a specific application to your allow list from network isolation, the Cortex XDR agent continues to block some internal system processes. This is because some applications, for example, ping.exe, can use other processes to facilitate network communication. As a result, if the Cortex XDR agent continues to block an application you included in your allow list, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then add that process to the allow list.

    • For VDI sessions, use of the network isolation response action can disrupt communication with the VDI host management system, thereby stopping access to the VDI session. Therefore, before using the response action, you must add the VDI processes and corresponding IP addresses to your allow list.

    1. Click Add to add an entry to the allow list.

    2. Specify the Process Path that you want to allow, and the IPv4 or IPv6 address of the endpoint. Use the * wildcard on either side to match any process or IP address. For example, specify * as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify * as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.

    3. Click the check mark.

  11. Configure Backup Management to backup endpoint data.

    Item

    Options

    More details

    Shadowcopy Activation

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent automatically turns on the system protection of the endpoint. This ensures that the data is backed up and may be recovered in cases of any security breaches or loss of data.

    Disk Space Limitation

    Disk space in MB

    Limits the amount of disk space in MB that can be used for endpoint data backup.

  12. Configure the method used to update content on your endpoints.

    (Not supported in Traps 5.0.x)

    Warning

    If you disable or delay automatic-content updates provided by Palo Alto Networks, it may affect the security level in your organization.

    Note

    • If you disable content updates for a newly installed agent, the agent retrieves the content for the first time from Cortex XSIAM, and then disables content updates on the endpoint.

    • When you add a Cortex XDR agent to an endpoint group with a disabled content auto-upgrades policy, the policy is applied to the added agent as well.

    Item

    Options

    More details

    Content Auto-update

    • Enabled

    • Disabled

    By default, the Cortex XDR agent always retrieves the most updated content and deploys it on the endpoint, to ensure that it is always protected with the latest security measures.

    If you disable content updates, the agent stops retrieving them from the Cortex XSIAM tenant, and keeps working with the current content on the endpoint.

    Content Rollout

    • Immediately

    • Delayed

    The Cortex XDR agent can retrieve content updates immediately as they are available, or after a pre-configured delay period. When you delay content updates, the Cortex XDR agent will retrieve the content according to the configured delay. For example, if you configure a delay period of two days, the agent will not use any content released in the last 48 hours.

  13. Enable automatic Cortex XDR agent upgrades, to ensure that your endpoints are always up-to-date with the latest release. You can also configure your system to choose one release before the latest available release.

    Note

    Automatic upgrades are not supported with non-persistent VDI and temporary sessions.

    Item

    Options

    More details

    Agent Auto-Upgrade

    • Enabled

    • Disabled

    Automatic Upgrade Scope

    • Latest agent release

    • One release before the latest one

    • Only maintenance releases

    • Only maintenance releases in a specific version

    For One release before the latest one, Cortex XSIAM upgrades the agent to the previous release before the latest, including maintenance releases. Major releases are numbered X.X, such as release 8.0, or 8.2. Maintenance releases are numbered X.X.X, such as release 8.2.2.

    For Only maintenance releases in a specific version, select the required release version.

    Upgrade Rollout

    • Immediate

    • Delayed

    For Delayed, set the delay period (number of days) to wait after the version release before upgrading endpoints. Choose a value between 7 and 45.

    To control the agent auto upgrade scheduler and number of parallel upgrades in your network, configure Global Agent Settings.

  14. Specify a Download Source, or multiple sources, from which Cortex XDR agent retrieves agent and content updates. The options provided help you to reduce external network bandwidth loads during updates. When all sources are selected, the download sources are prioritized in the following order: P2P > Broker VM > Cortex XSIAM Server.

    To ensure your agents remain protected, the Cortex Server download source is always enabled to allow all Cortex XDR agents in your network to retrieve the content directly from the Cortex XSIAM server on their following heartbeat.

    Note

    Limitations in the content download process:

    • When you install the Cortex XDR agent, the agent retrieves the latest content update version available. A freshly installed agent can take between five to ten minutes (depending on your network and content update settings) to retrieve the content for the first time. During this time, your endpoint is not protected.

    • When you upgrade a Cortex XDR agent to a newer Cortex XDR agent version, if the new agent cannot use the content version running on the endpoint, the new content update will start within one minute in P2P, and within five minutes from Cortex XSIAM.

    Item

    Options

    More details

    Select all

    • Selected

    • Clear

    When selected, all download source options are enabled.

    P2P

    • 33221 (default port)

    • custom port

    Cortex XSIAM deploys serverless peer-to-peer distribution to Cortex XDR agents in your LAN network by default. Within the six hour randomization window during which the Cortex XDR agent attempts to retrieve the new version, it will broadcast its peer agents on the same subnet twice: once within the first hour, and once again during the following five hours. If the agent did not retrieve the files from other agents in both queries, it will proceed to the next download source defined in your profile.

    To enable P2P, you must enable UDP and TCP over the port specified for P2P Port. By default, Cortex XSIAM uses port 33221. You can change the port number, if required by your organization.

    Broker VM

    • Select all

    • Brokers

    • Clusters

    (only Broker VMs that are connected and configured for caching can be selected)

    (Requires Broker VM 12.0 and later)

    If you have a Palo Alto Networks Broker VM in your network, you can leverage the Local Agent Settings applet to cache release upgrades and content updates. When the Broker VM is enabled and configured appropriately (refer to Activate the Local Agent Settings) , it retrieves the latest installers and content every 15 minutes. The Broker VM stores them for a 30-day retention period since an agent last asked for them.

    If the files are not available on the Broker VM at the time of the request, the agent proceeds to download the files directly from the Cortex XSIAM server.

    When you select multiple Broker VMs, the agent chooses a Broker VM randomly for each download request.

  15. Configure Network Location Configuration for your Cortex XDR agents. If you configure host firewall rules in your network, you must:

    • Enable Network Location Configuration Action Mode, so that Cortex XSIAM can test the network location of your device.

    • Configure your network's DNS name and its internal IP address.

    If the Cortex XDR agent detects a network change on the endpoint, the agent triggers the device location test and re-calculates the policy according to the new location.

    Item

    Options

    More details

    Action Mode

    • Enabled

    • Disabled

    When Enabled, a domain controller (DC) test checks whether the device is connected to the internal network or not. If the device is connected to the internal network, it is determined to be in the organization. If the DC test fails or returns an external domain, Cortex XSIAM performs a DNS connectivity test.

    DNS Name

    Your network's DNS name

    The Cortex XDR agent tests network location by submitting a Domain Name Server (DNS) name that is known only to the internal network. If the DNS returns the pre-configured internal IP address, the device is determined to be within the organization. If the DNS IP address cannot be resolved, the device is deemed to be located elsewhere.

    IP Address

    Your network's DNS internal IP address

    Enter the internal DNS IP address to be used by the DNS test.

  16. Define Agent Proxy Settings.

    Select whether to Enable or Disable Direct Server Access for the agent when connected using a proxy.

  17. Configure Agent Certificates. For improved security, enforce the use of root CA that is provided by Palo Alto Networks rather than on the local machine.

    Item

    Options

    More details

    Certificate Enforcement

    • Enabled

    • Disabled

    • Disabled (Notify)

    When enabled, certificate enforcement is enabled.

    Note

    If the Cortex XDR agent is initially unable to communicate without the local store, enforcement is not enabled and the agent will show as partially protected.

    When set to Disabled (Notify), Cortex XDR agents with this policy will trigger a banner in the server to notify customers about potential risk, and will direct them to change the certificate and the setting. The Last Certificate Enforcement Fallback column of the All Endpoints table is updated, and management audit logs related to the local store fallback are received by the server.

    When set to Disabled, Cortex XDR agents with this policy will trigger a banner in the server to notify customers about potential risk, and will direct them to change the certificate and the setting. The Last Certificate Enforcement Fallback column of the All Endpoints table is not updated, and no management audit logs related to the local store fallback are received by the server.

  18. Configure IT Metrics, to define setting for collecting IT metrics on the endpoint.

    Item

    Options

    More details

    Collect IT Data

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent collects IT data that provides visibility into IT performance on the agent.

  19. To save the profile, click Create.

  1. Add a new profile and define basic settings.

    1. Select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.

      Note

      New profiles based on imported profiles are added, and do not replace existing ones.

    2. Select the macOS platform, and Agent Settings as the profile type.

    3. Click Next.

    4. Enter a unique Profile Name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.

  2. For Disk Quota, configure the amount of disk space to allot for Cortex XDR agent logs. Specify a value in MB from 100 to 10,000 (default is 5,000).

  3. Configure the User Interface options for Cortex XSIAM.

    By default, Cortex XSIAM uses the settings specified in the default agent settings profile and displays the default configuration in parentheses. When you select a setting other than the default, you override the default configuration for the profile.

    Item

    Options

    More details

    Tray Icon

    • Visible (default)

    • Hidden

    Choose whether you want the Cortex XDR agent icon to be Visible or Hidden in the notification area (system tray).

    XDR Agent Console Access

    • Enabled

    • Disabled

    When enabled, allows access to Cortex XSIAM.

    XDR Agent User Notifications

    • Enabled

    • Disabled

    Enable this option to operate display notifications in the notifications area on the endpoint. When you enable notifications, you can use the default notification messages that are displayed for each option, or provide custom text for each notification type. You can also customize a notification footer. Options include:

    • Live Terminal User Notifications: You can select to Request end-user permission to start the session. If the end user denies the request, you will not be able to initiate a Live Terminal session on the endpoint.

      You can select to Request end-user permission to start the session. If the end user denies the request, you will not be able to initiate a Live Terminal session on the endpoint.

    • Live Terminal Active Session Indication: Enable this option to display a blinking light (live-terminal-indication.png) on the status bar for the duration of the remote session to indicate to the end user that a Live Terminal session is in progress.

    • Persistent Isolation Notification

    • Endpoint Network Isolation Notification

    • Endpoint Network Un-Isolation Notification

    • Blocked Connectivity Notification

    • Exploit/Malware Events Set to Block

    • Restriction Events Set to Block

    • Restriction Events Set to Notify User

    • Notification Footer Text

    • USB Device Was Blocked

    • USB Disk Drive Was Allowed in Read-Only Mode

      Note

      You can enable the option to maintain a persistent notification regarding the disconnection of the endpoint from the network. The settings Persistent Isolation Notification and Blocked Connectivity Notification must be enabled. Until the threat on the endpoint has been removed, the endpoint remains disconnected from the network.

  4. For Agent Security, configure XDR Agent Tampering Protection (default is Enabled). By default, the Cortex XDR agent protects all agent components.

    Note

    If you choose the Enabled option, you must also set Anti Tampering Protection in the malware security profile to Block, and ensure that both profiles are assigned to the same endpoints.

    Note

    In Traps 5.0.6 and later releases, when protection is enabled, access will be read-only. In earlier Traps releases, enabling protection disables all access to services, processes, files, and registry values.

  5. For Uninstall Password, configure an uninstall password.

    Define and confirm an encrypted password that the user must specify to uninstall the Cortex XDR agent. The uninstall password, also known as the supervisor password, is also used to protect against tampering attempts via Cytool commands. The password must contain:

    • 8 to 32 characters

    • At least one of each of the following:

      • Lower-case letter

      • Upper-case letter

      • Number

      • Special character: !@#%

  6. Configure Alerts Data collection options.

    When the Cortex XDR agent raises alerts on process-related activity on the endpoint, the agent collects the contents of memory and other data about the event, in what is known as an alert data dump file. You can configure the Cortex XDR agent to automatically upload alert data dump files to Cortex XSIAM.

    Item

    Options

    More details

    Alert Data Dump File Size

    • Small

    • Medium

    • Full

    The Full option creates the largest and most complete set of information.

    Automatically Upload Alert Data Dump File

    • Enabled

    • Disabled

    During event investigation, if automatic upload was disabled, you can still manually retrieve this data.

  7. Notice

    Requires a Cortex XDR Pro per Endpoint license. When you enable this feature, a Cortex XDR Pro per Endpoint license is consumed.

    Enable XDR Pro Endpoint Capabilities, and then configure the capabilities required by your organization. The Cortex XDR Pro features are hidden until you enable this option.

    Item

    Options

    More details

    Monitor and Collect Enhanced Endpoint Data

    • Enabled

    • Disabled

    (Not supported in Traps 5.0.x)

    By default, the Cortex XDR agent collects information about events that occur on the endpoint. If you enable Behavioral Threat Protection in a Malware security profile, the Cortex XDR agent also collects information about all active file, process, network, and registry activity on an endpoint. When you enable the Cortex XDR agent to monitor and collect enhanced endpoint data, Cortex XSIAM shares the detailed endpoint information with other Cortex apps. The information can help to provide the endpoint context when a security event occurs, so that you can gain insight into the overall event scope during an investigation. The event scope includes all activities that took place during an attack, the endpoints that were involved, and the damage caused. When disabled, the Cortex XDR agent will not share endpoint activity logs.

    Enable Host Insights Capabilities

    • Enabled

    • Disabled

    Notice

    Requires Host Insights add-on.

    Note

    This option is not supported in Traps 5.0.x.

    When enabled, the various host insight capabilities can be configured.

    Endpoint Information Collection

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent collects Host Inventory information such as users, groups, services, drivers, hardware, and network shares, as well as information about applications installed on the endpoint, including CVE and installed KBs for Vulnerability Assessment.

    File Search and Destroy Action Mode

    • Enabled

    • Disabled

    (Not supported in Traps 5.0.x)

    When enabled, the Cortex XDR agent collects detailed information about files on the endpoint to create a files inventory database. The agent locally monitors any actions performed on these files and updates the local files inventory database in real-time.

    With this option you can also select the File Search and Destroy Monitored File Types where Cortex XSIAM monitors all the files on the endpoint, or only common file types. If you choose Common file types, Cortex XSIAM monitors the following file types:

    acm, apk, ax, bat, bin, bundle, csv, dll, dmg, doc, docm, docx, dylib, efi, hta, jar, js, jse, jsf, lua, mpp, mppx, mui, o, ocx, pdf, pkg, pl, plx, pps, ppsm, ppsx, ppt, pptm, pptx, py, pyc, pyo, rb, rtf, scr, sh, vds, vsd, wsf, xls, xlsm, xlsx, xsdx, and zip.

    Additionally, you can exclude files that exist under a specific local path on the endpoint from inclusion in the files database.

    Monitor and Collect Forensics Data

    • Enabled

    • Disabled

    Notice

    Requires Forensics Add-on.

    Note

    This is not supported in Traps 5.0.x.

    When enabled, the Cortex XDR agent collects detailed information about what happened on your endpoint, to create a forensics database. Define the following to enable collection and collection time intervals for the following entity types:

    • Process Execution

    • File Access

    • Persistence

    • Command History

    • Network

    • Search Collections

    Data collected by the agent is displayed on the tenant's Forensics page.

  8. Configure XDR Cloud for hosts running on cloud platforms. By default (auto-detect mode), the agent detects whether an endpoint is a cloud-based (container) installation or a permanent installation, and uses license allocation accordingly.

    Item

    Options

    More details

    XDR Cloud

    • Auto-detect

    • Enabled

    If you set this to Enabled in the profile, any agent using this profile will be treated as if it is a cloud-based agent for licensing purposes.

  9. Configure Response Actions for specific applications or processes, using an Allow list.

    If you need to isolate an endpoint, but want to allow access for a specific application or process, add it to the Network Isolation Allow List. Keep the following considerations in mind:

    When you add a specific application to your allow list from network isolation, the Cortex XDR agent continues to block some internal system processes. This is because some applications, for example, ping.exe, can use other processes to facilitate network communication. As a result, if the Cortex XDR agent continues to block an application you included in your allow list, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then add that process to the allow list.

    1. Click Add to add an entry to the allow list.

    2. Specify the Process Path that you want to allow, and the IPv4 or IPv6 address of the endpoint. Use the * wildcard on either side to match any process or IP address. For example, specify * as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify * as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.

    3. Click the check mark.

  10. Configure the method used to update content on your endpoints.

    (Not supported in Traps 5.0.x)

    Warning

    If you disable or delay automatic-content updates provided by Palo Alto Networks, it may affect the security level in your organization.

    Note

    • If you disable content updates for a newly installed agent, the agent retrieves the content for the first time from Cortex XSIAM, and then disables content updates on the endpoint.

    • When you add a Cortex XDR agent to an endpoint group with a disabled content auto-upgrades policy, the policy is applied to the added agent as well.

    Item

    Options

    More details

    Content Auto-update

    • Enabled

    • Disabled

    By default, the Cortex XDR agent always retrieves the most updated content and deploys it on the endpoint, to ensure that it is always protected with the latest security measures.

    If you disable content updates, the agent stops retrieving them from the Cortex XSIAM tenant, and keeps working with the current content on the endpoint.

    Content Rollout

    • Immediately

    • Delayed

    The Cortex XDR agent can retrieve content updates immediately as they are available, or after a pre-configured delay period. When you delay content updates, the Cortex XDR agent will retrieve the content according to the configured delay. For example, if you configure a delay period of two days, the agent will not use any content released in the last 48 hours.

  11. Enable automatic Cortex XDR agent upgrades, to ensure that your endpoints are always up-to-date with the latest release. You can also configure your system to choose one release before the latest available release.

    Note

    Automatic upgrades are not supported with non-persistent VDI and temporary sessions.

    Item

    Options

    More details

    Agent Auto-Upgrade

    • Enabled

    • Disabled

    Automatic Upgrade Scope

    • Latest agent release

    • One release before the latest one

    • Only maintenance releases

    • Only maintenance releases in a specific version

    For One release before the latest one, Cortex XSIAM upgrades the agent to the previous release before the latest, including maintenance releases. Major releases are numbered X.X, such as release 8.0, or 8.2. Maintenance releases are numbered X.X.X, such as release 8.2.2.

    For Only maintenance releases in a specific version, select the required release version.

    Upgrade Rollout

    • Immediate

    • Delayed

    For Delayed, set the delay period (number of days) to wait after the version release before upgrading endpoints. Choose a value between 7 and 45.

    To control the agent auto upgrade scheduler and number of parallel upgrades in your network, configure Global Agent Settings.

  12. Configure Backup Management.

    Item

    Options

    More details

    Time Machine Activation

    • Enabled

    • Disabled

    When enabled, this option automatically turns on the Time Machine setting of the endpoint. This ensures that the data is backed up and may be recovered in cases of any security breaches or loss of data.

  13. Specify a Download Source, or multiple sources, from which Cortex XDR agent retrieves agent and content updates. The options provided help you to reduce external network bandwidth loads during updates. When all sources are selected, the download sources are prioritized in the following order: P2P > Broker VM > Cortex XSIAM Server.

    To ensure your agents remain protected, the Cortex Server download source is always enabled to allow all Cortex XDR agents in your network to retrieve the content directly from the Cortex XSIAM server on their following heartbeat.

    Note

    Limitations in the content download process:

    • When you install the Cortex XDR agent, the agent retrieves the latest content update version available. A freshly installed agent can take between five to ten minutes (depending on your network and content update settings) to retrieve the content for the first time. During this time, your endpoint is not protected.

    • When you upgrade a Cortex XDR agent to a newer Cortex XDR agent version, if the new agent cannot use the content version running on the endpoint, the new content update will start within one minute in P2P, and within five minutes from Cortex XSIAM.

    Item

    Options

    More details

    Select all

    • Selected

    • Clear

    When selected, all download source options are enabled.

    P2P

    • 33221 (default port)

    • custom port

    Cortex XSIAM deploys serverless peer-to-peer distribution to Cortex XDR agents in your LAN network by default. Within the six hour randomization window during which the Cortex XDR agent attempts to retrieve the new version, it will broadcast its peer agents on the same subnet twice: once within the first hour, and once again during the following five hours. If the agent did not retrieve the files from other agents in both queries, it will proceed to the next download source defined in your profile.

    To enable P2P, you must enable UDP and TCP over the port specified for P2P Port. By default, Cortex XSIAM uses port 33221. You can change the port number, if required by your organization.

    Broker VM

    • Select all

    • Brokers

    • Clusters

    (only Broker VMs that are connected and configured for caching can be selected)

    (Requires Broker VM 12.0 and later)

    If you have a Palo Alto Networks Broker VM in your network, you can leverage the Local Agent Settings applet to cache release upgrades and content updates. When the Broker VM is enabled and configured appropriately (refer to Activate the Local Agent Settings) , it retrieves the latest installers and content every 15 minutes. The Broker VM stores them for a 30-day retention period since an agent last asked for them.

    If the files are not available on the Broker VM at the time of the request, the agent proceeds to download the files directly from the Cortex XSIAM server.

    When you select multiple Broker VMs, the agent chooses a Broker VM randomly for each download request.

  14. Configure Network Location Configuration for your Cortex XDR agents. If you configure host firewall rules in your network, you must:

    • Enable Network Location Configuration Action Mode, so that Cortex XSIAM can test the network location of your device.

    • Configure your network's DNS name and its internal IP address.

    If the Cortex XDR agent detects a network change on the endpoint, the agent triggers the device location test and re-calculates the policy according to the new location.

    Item

    Options

    More details

    Action Mode

    • Enabled

    • Disabled

    When Enabled, a domain controller (DC) test checks whether the device is connected to the internal network or not. If the device is connected to the internal network, it is determined to be in the organization. If the DC test fails or returns an external domain, Cortex XSIAM performs a DNS connectivity test.

    DNS Name

    Your network's DNS name

    The Cortex XDR agent tests network location by submitting a Domain Name Server (DNS) name that is known only to the internal network. If the DNS returns the pre-configured internal IP address, the device is determined to be within the organization. If the DNS IP address cannot be resolved, the device is deemed to be located elsewhere.

    IP Address

    Your network's DNS internal IP address

    Enter the internal DNS IP address to be used by the DNS test.

  15. Define Agent Proxy Settings.

    Select whether to Enable or Disable Direct Server Access for the agent when connected using a proxy.

  16. Configure Agent Certificates. For improved security, enforce the use of root CA that is provided by Palo Alto Networks rather than on the local machine.

    Item

    Options

    More details

    Certificate Enforcement

    • Enabled

    • Disabled

    • Disabled (Notify)

    When enabled, certificate enforcement is enabled.

    Note

    If the Cortex XDR agent is initially unable to communicate without the local store, enforcement is not enabled and the agent will show as partially protected.

    When set to Disabled (Notify), Cortex XDR agents with this policy will trigger a banner in the server to notify customers about potential risk, and will direct them to change the certificate and the setting. The Last Certificate Enforcement Fallback column of the All Endpoints table is updated, and management audit logs related to the local store fallback are received by the server.

    When set to Disabled, Cortex XDR agents with this policy will trigger a banner in the server to notify customers about potential risk, and will direct them to change the certificate and the setting. The Last Certificate Enforcement Fallback column of the All Endpoints table is not updated, and no management audit logs related to the local store fallback are received by the server.

  17. To save the profile, click Create.

  1. Add a new profile and define basic settings.

    1. Select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.

      Note

      New profiles based on imported profiles are added, and do not replace existing ones.

    2. Select the Linux platform, and Agent Settings as the profile type.

    3. Click Next.

    4. Enter a unique Profile Name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.

  2. For Disk Quota, configure the amount of disk space to allot for Cortex XDR agent logs. Specify a value in MB from 100 to 10,000 (default is 5,000).

  3. Configure Alerts Data collection options.

    When the Cortex XDR agent raises alerts on process-related activity on the endpoint, the agent collects the contents of memory and other data about the event, in what is known as an alert data dump file. You can configure the Cortex XDR agent to automatically upload alert data dump files to Cortex XSIAM.

    Item

    Options

    More details

    Alert Data Dump File Size

    • Small

    • Medium

    • Full

    The Full option creates the largest and most complete set of information.

    Automatically Upload Alert Data Dump File

    • Enabled

    • Disabled

    During event investigation, if automatic upload was disabled, you can still manually retrieve this data.

  4. Notice

    Requires a Cortex XDR Pro per Endpoint license. When you enable this feature, a Cortex XDR Pro per Endpoint license is consumed.

    Enable XDR Pro Endpoint Capabilities, and then configure the capabilities required by your organization. The Cortex XDR Pro features are hidden until you enable this option.

    Item

    Options

    More details

    Monitor and Collect Enhanced Endpoint Data

    • Enabled

    • Disabled

    (Not supported in Traps 5.0.x)

    By default, the Cortex XDR agent collects information about events that occur on the endpoint. If you enable Behavioral Threat Protection in a Malware security profile, the Cortex XDR agent also collects information about all active file, process, network, and registry activity on an endpoint. When you enable the Cortex XDR agent to monitor and collect enhanced endpoint data, Cortex XSIAM shares the detailed endpoint information with other Cortex apps. The information can help to provide the endpoint context when a security event occurs, so that you can gain insight into the overall event scope during an investigation. The event scope includes all activities that took place during an attack, the endpoints that were involved, and the damage caused. When disabled, the Cortex XDR agent will not share endpoint activity logs.

    Enable Host Insights Capabilities

    • Enabled

    • Disabled

    Notice

    Requires Host Insights add-on; not supported in Traps 5.0.x

    When enabled, the various host insight capabilities can be configured.

    Endpoint Information Collection

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent collects Host Inventory information such as users, groups, services, drivers, hardware, and network shares, as well as information about applications installed on the endpoint, including CVE and installed KBs for Vulnerability Assessment.

    Enable Compliance Collection

    • Enabled

    • Disabled

  5. Configure XDR Cloud for hosts running on cloud platforms. By default (auto-detect mode), the agent detects whether an endpoint is a cloud-based (container) installation or a permanent installation, and uses license allocation accordingly.

    Item

    Options

    More details

    XDR Cloud

    • Auto-detect

    • Enabled

    If you set this to Enabled in the profile, any agent using this profile will be treated as if it is a cloud-based agent for licensing purposes.

  6. Configure Response Actions for specific applications or processes, using an Allow list.

    If you need to isolate an endpoint, but want to allow access for a specific application or process, add it to the Network Isolation Allow List. Keep the following considerations in mind:

    • When you add a specific application to your allow list from network isolation, the Cortex XDR agent continues to block some internal system processes. This is because some applications, for example, ping.exe, can use other processes to facilitate network communication. As a result, if the Cortex XDR agent continues to block an application you included in your allow list, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then add that process to the allow list.

    1. Click Add to add an entry to the allow list.

    2. Specify the Process Path that you want to allow, and the IPv4 or IPv6 address of the endpoint. Use the * wildcard on either side to match any process or IP address. For example, specify * as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify * as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.

    3. Click the check mark.

  7. Configure settings to automatically Revert Endpoint Isolation of an agent. When this feature is enabled, agent isolation will be cancelled when a connection with the managing server is lost for the defined continuous period of time.

    1. Either keep the recommended default setting (Enabled), or change it by selecting Disabled in the Revert Isolation field.

    2. Set a time unit and enter the number of hours or days. We recommend 24 hours (default).

  8. Configure the method used to update content on your endpoints.

    (Not supported in Traps 5.0.x)

    Warning

    If you disable or delay automatic-content updates provided by Palo Alto Networks, it may affect the security level in your organization.

    Note

    • If you disable content updates for a newly installed agent, the agent retrieves the content for the first time from Cortex XSIAM, and then disables content updates on the endpoint.

    • When you add a Cortex XDR agent to an endpoint group with a disabled content auto-upgrades policy, the policy is applied to the added agent as well.

    Item

    Options

    More details

    Content Auto-update

    • Enabled

    • Disabled

    By default, the Cortex XDR agent always retrieves the most updated content and deploys it on the endpoint, to ensure that it is always protected with the latest security measures.

    If you disable content updates, the agent stops retrieving them from the Cortex XSIAM tenant, and keeps working with the current content on the endpoint.

    Content Rollout

    • Immediately

    • Delayed

    The Cortex XDR agent can retrieve content updates immediately as they are available, or after a pre-configured delay period. When you delay content updates, the Cortex XDR agent will retrieve the content according to the configured delay. For example, if you configure a delay period of two days, the agent will not use any content released in the last 48 hours.

  9. Enable automatic Cortex XDR agent upgrades, to ensure that your endpoints are always up-to-date with the latest release. You can also configure your system to choose one release before the latest available release.

    Note

    Automatic upgrades are not supported with non-persistent VDI and temporary sessions.

    Item

    Options

    More details

    Agent Auto-Upgrade

    • Enabled

    • Disabled

    Automatic Upgrade Scope

    • Latest agent release

    • One release before the latest one

    • Only maintenance releases

    • Only maintenance releases in a specific version

    For One release before the latest one, Cortex XSIAM upgrades the agent to the previous release before the latest, including maintenance releases. Major releases are numbered X.X, such as release 8.0, or 8.2. Maintenance releases are numbered X.X.X, such as release 8.2.2.

    For Only maintenance releases in a specific version, select the required release version.

    Upgrade Rollout

    • Immediate

    • Delayed

    For Delayed, set the delay period (number of days) to wait after the version release before upgrading endpoints. Choose a value between 7 and 45.

    To control the agent auto upgrade scheduler and number of parallel upgrades in your network, configure Global Agent Settings.

  10. Specify a Download Source, or multiple sources, from which Cortex XDR agent retrieves agent and content updates. The options provided help you to reduce external network bandwidth loads during updates. When all sources are selected, the download sources are prioritized in the following order: P2P > Broker VM > Cortex XSIAM Server.

    To ensure your agents remain protected, the Cortex Server download source is always enabled to allow all Cortex XDR agents in your network to retrieve the content directly from the Cortex XSIAM server on their following heartbeat.

    Note

    Limitations in the content download process:

    • When you install the Cortex XDR agent, the agent retrieves the latest content update version available. A freshly installed agent can take between five to ten minutes (depending on your network and content update settings) to retrieve the content for the first time. During this time, your endpoint is not protected.

    • When you upgrade a Cortex XDR agent to a newer Cortex XDR agent version, if the new agent cannot use the content version running on the endpoint, the new content update will start within one minute in P2P, and within five minutes from Cortex XSIAM.

    Item

    Options

    More details

    Select all

    • Selected

    • Clear

    When selected, all download source options are enabled.

    P2P

    • 33221 (default port)

    • custom port

    Cortex XSIAM deploys serverless peer-to-peer distribution to Cortex XDR agents in your LAN network by default. Within the six hour randomization window during which the Cortex XDR agent attempts to retrieve the new version, it will broadcast its peer agents on the same subnet twice: once within the first hour, and once again during the following five hours. If the agent did not retrieve the files from other agents in both queries, it will proceed to the next download source defined in your profile.

    To enable P2P, you must enable UDP and TCP over the port specified for P2P Port. By default, Cortex XSIAM uses port 33221. You can change the port number, if required by your organization.

    Broker VM

    • Select all

    • Brokers

    • Clusters

    (only Broker VMs that are connected and configured for caching can be selected)

    (Requires Broker VM 12.0 and later)

    If you have a Palo Alto Networks Broker VM in your network, you can leverage the Local Agent Settings applet to cache release upgrades and content updates. When the Broker VM is enabled and configured appropriately (refer to Activate the Local Agent Settings) , it retrieves the latest installers and content every 15 minutes. The Broker VM stores them for a 30-day retention period since an agent last asked for them.

    If the files are not available on the Broker VM at the time of the request, the agent proceeds to download the files directly from the Cortex XSIAM server.

    When you select multiple Broker VMs, the agent chooses a Broker VM randomly for each download request.

  11. Define Agent Proxy Settings.

    Select whether to Enable or Disable Direct Server Access for the agent when connected using a proxy.

  12. Configure Advanced Vulnerability Scanning for periodic Active Vulnerability Analysis (AVA) scans. This option is only available for tenants that are paired with Prisma Cloud.

    Item

    Options

    More details

    Advanced Vulnerability Scanning

    • Enabled

    • Disabled

    Periodic Scan

    • 24 Hours

    • Custom

    For the default setting, select 24 Hours.

    For other time frames, select Custom, and then configure the desired time frame. Where relevant, select the start day and time for the periodic scans. If you select monthly scans, you can also configure a timeout period, in hours.

  13. Configure Agent Operation Mode (BETA).

    Item

    Options

    More details

    Mode

    • Kernel

    • User Space

  14. To save the profile, click Create.

  1. Add a new profile and define basic settings.

    1. Select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.

    2. Select the Android platform, and Agent Settings as the profile type.

    3. Click Next.

    4. For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.

  2. Configure the method used to update content on your endpoints.

    (Not supported in Traps 5.0.x)

    Warning

    If you disable or delay automatic-content updates provided by Palo Alto Networks, it may affect the security level in your organization.

    Note

    • If you disable content updates for a newly installed agent, the agent retrieves the content for the first time from Cortex XSIAM, and then disables content updates on the endpoint.

    • When you add a Cortex XDR agent to an endpoint group with a disabled content auto-upgrades policy, the policy is applied to the added agent as well.

    Item

    Options

    More details

    Content Auto-update

    • Enabled

    • Disabled

    By default, the Cortex XDR agent always retrieves the most updated content and deploys it on the endpoint, to ensure that it is always protected with the latest security measures.

    If you disable content updates, the agent stops retrieving them from the Cortex XSIAM tenant, and keeps working with the current content on the endpoint.

    Content Rollout

    • Immediately

    • Delayed

    The Cortex XDR agent can retrieve content updates immediately as they are available, or after a pre-configured delay period. When you delay content updates, the Cortex XDR agent will retrieve the content according to the configured delay. For example, if you configure a delay period of two days, the agent will not use any content released in the last 48 hours.

  3. Configure network usage preferences.

    When the option Upload Using Cellular Data is enabled, the Cortex XDR agent uses cellular data to send unknown apps to the Cortex XSIAM for inspection. Standard data charges may apply. When this option is disabled, the Cortex XDR agent queues any unknown files and sends them when the endpoint connects to a Wi-Fi network. If configured, the data usage setting on the Android endpoint takes precedence over this configuration.

  4. To save the profile, click Create.