* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/)
* Cortex XDR 2.4: One Small...

# Cortex XDR 2.4: One Small Step for Cortex XDR, One Giant Leap for SecOps

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2020%2F06%2Fcortex-xdr-2-4%2F)  
[](https://twitter.com/share?text=Cortex+XDR+2.4%3A+One+Small+Step+for+Cortex+XDR%2C+One+Giant+Leap+for+SecOps&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2020%2F06%2Fcortex-xdr-2-4%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2020%2F06%2Fcortex-xdr-2-4%2F&title=Cortex+XDR+2.4%3A+One+Small+Step+for+Cortex+XDR%2C+One+Giant+Leap+for+SecOps&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2020/06/cortex-xdr-2-4/&ts=markdown)  
\[\](mailto:?subject=Cortex XDR 2.4: One Small Step for Cortex XDR, One Giant Leap for SecOps)  
Link copied  
By [Kasey Cross](https://www.paloaltonetworks.com/blog/author/kasey-cross/?ts=markdown "Posts by Kasey Cross")  
Jun 02, 2020  
6 minutes  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[SecOps](https://www.paloaltonetworks.com/blog/tag/secops/?ts=markdown)  
[Security Operations Center](https://www.paloaltonetworks.com/blog/tag/security-operations-center/?ts=markdown)  
[SOC](https://www.paloaltonetworks.com/blog/tag/soc/?ts=markdown)

Close on the heels of [Cortex XDR 2.2 and 2.3](https://www.paloaltonetworks.com/blog/2020/04/cortex-network-visibility/?ts=markdown), we are proud to announce the availability of Cortex XDR 2.4, which is jam-packed with new features that enhance detection, investigation and ease of management. From vulnerability assessment to integration with Cortex XSOAR Threat Intel Management, this release has something for everyone. We'll walk you through the highlights in this blog, but be sure to check out our [release notes](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-release-notes/release-information/features-introduced/features-introduced-in-2020.html#iddb59f5e7-aac3-4e46-a08d-ab6f7a304416) for all the technical details.

#### **Lightning Fast Investigations with Quick Launcher and Pivoting**

Every second counts during a cyberattack, and Cortex XDR is designed to make investigations as efficient as possible. To further reduce the number of clicks required to conduct your investigations, we have introduced Quick Launcher and alert pivoting. Now you can easily conduct common investigation tasks or initiate response actions from anywhere in the Cortex XDR management console.

Use the Quick Launcher to:

* Search events for host, IP address, domain and hash.
* Blacklist and whitelist processes by hash.
* Add domains or IP addresses to an external dynamic list (EDL) blocklist.
* Create a new IOC for an IP address, domain or hash.
* Open a Live Terminal session, initiate a malware scan or isolate an endpoint.

You can simply highlight values such as IP addresses or file names in the Cortex XDR management console to pre-populate a query in the Quick Launcher -- avoiding the extra steps of copying and pasting values and navigating to the Query Builder.
![This screenshot shows the Quick Launcher feature in Cortex XDR 2.4](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/06/Suspicious-ab.png)
The Quick Launcher can be opened from any page using a shortcut key or the Quick Launcher icon in the navigation menu.

From the Quick Launcher, you can open the IP View or Hash View to display the essential details you need to know about IP addresses and hashes on one screen. From the IP view, you can view threat intelligence, geolocation and network information as well as related incidents involving the IP address. The Hash View reveals recent process executions, threat intelligence data, and associated incidents and response actions. You can also easily navigate to related incidents for further analysis.
![This screenshot shows the IP View in Cortex XDR 2.4](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/06/showing-top3.png)
The IP View provides you with rich context about IP addresses you wish to investigate. ![This screenshot shows the Hash View in Cortex XDR 2.4](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/06/Hash-view.png)
The Hash View displays essential details about processes and files to expedite investigations.

To make investigating attacks easier than ever, Cortex XDR 2.4 supports:

* * **Pivoting between alerts, rules, and incidents** -- You can now pivot from an IOC and BIOC rule to the alerts triggered by the rule with a single click, simplifying investigation workflows. You can also pivot from an alert to a related incident.
  * **Alert table enhancements** -- You can view, sort and filter endpoint alerts based on MAC address, domain and endpoint operating system, as well as network alerts based on App-ID category, email subject, URL and much more.
  * **Remote Procedure Call (RPC) visibility** -- When analyzing alerts, you can see whether local or remote processes used RPC requests or code injection to initiate events on other processes. These insights can quickly expose malicious activity.

#### **Integration with Cortex XSOAR Threat Intel Management**

Spotting indicators of compromise can help you quickly find and root out adversaries. A new API in Cortex XDR 2.4 enables you to outpace adversaries by consuming threat intelligence feeds from third-party sources in JSON and CSV formats. In addition, native integration with Cortex XSOAR Threat Intel Management allows you to have granular control over which indicators to provide to Cortex XDR for IOC-based detection. By gathering threat intelligence data, you can identify threats hiding in your security data. Integration with Cortex XSOAR is expected to be available on June 9.

#### **Vulnerability Assessment**

With thousands of new vulnerabilities reported every year, many security teams struggle to find and assess the vulnerabilities in their organizations. Cortex XDR 2.4 alleviates those challenges by identifying and prioritizing your security vulnerabilities. From the Cortex XDR management console, you can view the vulnerabilities detected on your Linux endpoints by CVE or by host.

Additionally, Cortex XDR provides you with a list of all applications installed on your Windows and Linux endpoints and indicates the CVEs only where they exist, providing you with an application inventory of your network.

![This screenshot shows the vulnerability assessment view in Cortex XDR 2.4](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/06/Vuln-assess.png)

To help you understand vulnerability severity, Cortex XDR retrieves the latest data for each CVE from the [NIST National Vulnerability Database](https://nvd.nist.gov/), including CVE severity and metrics.

#### **Okta and Azure Active Directory Log Support**

Authentication logs allow you to unearth unusual user activity like credential abuse. By searching for suspicious activity, such as a user signing in from an external IP address, you can track down user-based attacks.

In addition to Kerberos and Windows Event Logs, Cortex XDR now collects authentication data from Okta and Microsoft Azure Active Directory. It automatically normalizes these logs from both cloud-based authentication services and provides a platform to query and review authentication sessions. You can hunt for and investigate threats by searching through authentication logs with the Query Builder or text-based queries.
![This screenshot shows the SaaS Log Collection View in Cortex XDR 2.4](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/06/SaaS-log.png)
Configuration to collect authentication logs from Microsoft Azure Active Directory.

#### **Supercharged Threat Hunting**

Our Query Builder is an intuitive search tool, allowing analysts of all skill levels to conduct investigations without needing to learn a new query language. However, advanced threat hunters may wish to perform advanced queries quickly and use more complex query parameters like wildcards. In Cortex XDR 2.4, these power users can execute simple or complex text-based queries to search across all their data in Cortex XDR.

With Native Search, currently available as a beta feature, you have the flexibility to quickly query any information you want, or to copy, edit and paste previous queries. As you type a query, the Native Search feature will help by autocompleting fields based on the known log fields. You can also use regex and wildcards in your queries and can string multiple queries together.

###### Examples of text-based queries include:

* **ne** **twork connections** **AND\*\*\*\*palo alto networks.app id** \*\*=\*\***facebook**
* **okta.sso** **AND\*\*\*\*ip** \*\*!=\*\***10.0.\***
* **palo alto networks.file create.file name** **=~\*\*\*\*".+?"**
* **cortex xdr agent** **AND\*\*\*\*palo alto networks.dst process name** **CONTAINS\*\*\*\*chrome**

(If you prefer that Unit 42 experts track down threats for you, check out the recently announced [Cortex XDR Managed Threat Hunting](https://www.paloaltonetworks.com/blog/2020/05/cortex-xdr-managed-threat-hunting/?ts=markdown) service.)

###### But that's not all...Cortex XDR 2.4 also includes *even more* enhancements:

* **Interactive Script Execution** -- You can now initiate scripts in Interactive Mode to run multiple scripts on pre-defined endpoints, track the execution progress and view the results in real time.
* **APIs** -- New API fields and values provide you better visibility and control over endpoint scans as well as blacklisted and whitelisted hashes.
* **MSSP Management** -- MSSPs can quickly investigate and hunt for threats in their customers' environments by executing searches in the Query Builder across multiple Cortex XDR tenants at once.
* **Broker Service** -- You can now securely access the Broker VM using SSH and public key encryption.

For a complete list of new features in Cortex XDR 2.4 see the [Cortex XDR release notes](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-release-notes/release-information/features-introduced/features-introduced-in-2020.html#iddb59f5e7-aac3-4e46-a08d-ab6f7a304416).

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's New in Cortex](https://www.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### How Cortex Defends Against Microsoft SharePoint "ToolShell" Exploits](https://www.paloaltonetworks.com/blog/security-operations/how-cortex-defends-against-microsoft-sharepoint-toolshell-exploits/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Defending against Phantom Taurus with Cortex](https://www.paloaltonetworks.com/blog/security-operations/the-rise-of-phantom-taurus-unmasking-a-stealthy-new-threat-to-global-security-with-cortex/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### What's New for Cortex and Cortex Cloud (Apr '25)](https://www.paloaltonetworks.com/blog/security-operations/whats-new-for-cortex-and-cortex-cloud-apr-25/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### What's New in Cortex: The Latest Innovations for the World's #1 SecOps Platform (Feb '25 Release)](https://www.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex-the-latest-innovations-for-the-worlds-1-secops-platform-feb-25-release/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's Next in Cortex: New Innovations for Security Operations](https://www.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-innovations-for-security-operations/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language