February 2024 - Release Notes - Cortex XDR - Cortex - Security Operations

Cortex XDR Release Notes

Product
Cortex XDR
Creation date
2024-02-14
Last date published
2024-04-14
Category
Release Notes

This section describes the new features and updates of the Cortex XDR 3.9 and Cortex XDR Agent 8.3 releases.

The Cortex XDR 3.9 and Agent 8.3 releases include the following highlights:

Feature

Description

On-write protection module

Cortex XDR has expanded its machine learning (ML) based security capabilities to include on-write protection for Windows that includes Wildfire and local analysis.

UEFI protection module

Cortex XDR has expanded its malware protection capabilities by adding the UEFI protection module, which reinforces and provides coverage against pre-boot attacks.

Limit access to Cortex XDR API

Limit Cortex XDR API access to a specific IP address or IP range by adding them to an Allow list.This ensures better data security and control while facilitating integration with third-party systems and applications.

The Cortex XDR 3.9 and Cortex XDR Agent 8.3 releases include the following enhancements:

General

Feature

Description

Augmenting VA insights in Host Card

The Host Card under Asset Scores now includes additional Vulnerability Assessment (VA) insights.This enhancement provides a detailed and high-level view of the Common Vulnerabilities and Exposures (CVE) sorted by severity, enabling you to quickly understand and prioritize security threats on each endpoint. The CVE breakdown is included only when Host Insights and Identity Threat Module licenses are activated.

New cloud-related attributes for security events and agent status

Cortex XDR has integrated cloud-related attributes to security events and agent status to convey essential information.

New Widgets in the Identity Threat Module

(Requires the Identity Threat Module add-on)

The User Risk View in the Identity Threat Module now contains two new widgets that provide more insight into the provenance of the user.

  • Common Locations - displays the countries from which the user connected most in the past few weeks.

  • Common OSs - displays the operating systems the user used most in the past few weeks.

Analytics Tags Highlights

Cortex XDR has updated the detectors inventory, introducing new analytics into both new and existing tags.

  • Direct Syscall Analytics (New) - Advanced real-time detection of direct syscall activities, distinguishing between benign and malicious events.

  • DLL Hijacking Analytics (New) - Improved analytics for identifying DLL Hijacking techniques, focusing on evasion and privilege escalation tactics.

  • Global Analytics (Updated) - Enhanced detection of complex attacks, including supply chain threats and zero-day exploits, using machine learning on cross-customer references.

  • Injection Analytics Improvement - Refined detection of process injection anomalies, improving identification of malicious activities.

  • Impacket Analytics - Analytics for detecting Impacket-related lateral movement behaviors with high accuracy.

XDR Collectors

Windows 1.4.1.1100 and Linux 1.4.1.1089

For more information on maintenance releases, see Maintenance Releases.

Feature

Description

XDR Collectors 1.4.1

This release includes performance improvements and bug fixes.

Broker VM

Version 22.0.32

For more information on maintenance releases, see Maintenance Releases.

Feature

Description

Broker VM 22.0.32

This release includes performance improvements and bug fixes.

External Data Ingestion and Management

Feature

Description

Retention licenses support 31-day period

Cortex XDR retention license add-ons now support a 31-day period per license SKU purchased, instead of 30 days provided previously. This ensures a full 365-day coverage.

Cortex Query Language (XQL)

Feature

Description

New field added to xdr_process preset

(Requires a Cortex XDR Pro license)

Cortex XDR now includes a new field called action_process_instance_ID in the xdr_process preset. This field provides the Cortex instance ID of the process.

The Cortex XDR 3.9 and Cortex XDR Agent 8.3 releases include the following changes to existing functionality:

Component

Area

Description

APPS column of Broker VMs page

Broker VM

Cortex XDR has replaced the hovering action in the APPS column of the Broker VMs page to a left-click action to display the Broker VM applet settings and to Add a new Broker VM applet.

target stage

XQL

Cortex Query Language (XQL) now supports defining a target stage with a dataset type set to lookup so that the data from the current query is re-created as a new dataset using append=false. Previously, only append=true was supported for this dataset type, which appended the data from the current query to the dataset.

Endpoints table, Last Certificate Enforcement Fallback column

Agent Settings profile

Certificate enforcement for Windows and macOS endpoints

To improve security, the Cortex XDR agent is now ensuring the use of a provided certificate, without using the local fallback store (enforcing using provided trusted root CA file).

There are three modes of operation, set in the Agent Settings profile. Disabled (Notify) is default for existing tenants; new tenants will have the Enabled configuration by default.

  • Enabled: Enforcement is enabled. Note, If the agent is initially unable to communicate without the local store, enforcement is not enabled and the agent will show as partially protected in the server UI.

  • Disabled (Notify): Enforcement is disabled. Agents with this policy will trigger a visible banner in the UI to notify customers about potential risk and direct them to change the certificate and the setting. The Last Certificate Enforcement Fallback column of the Endpoints table is updated and management audit logs related to the local store fallback are received by the server.

  • Disabled: Enforcement is disabled. Agents with this policy will trigger a visible banner in the UI to notify customers about potential risk. With this mode, the Last Certificate Enforcement Fallback column in the Endpoints table is not updated, and there are no management audit logs related to the local store fallback.