This section describes the new features and updates of the Cortex XDR 3.7 and Cortex XDR Agent 8.1 releases.
The Cortex XDR 3.7 and Agent 8.1 releases include the following highlights:
Security Modules Cortex XDR introduces new prevention modules that provide more detection and protection coverage capabilities. This includes:
|
Identity Threat Module Enhancements Get deeper insights into threats and respond more effectively with our asset role enrichments for alerts, incidents, and XQL searches in the Identity Threat Module (ITM). Cortex introduces an improved peer scoring breakdown, a deeper understanding of the current host risk score, and a global host scores view for better risk management of your assets. |
High Availability Cluster for Broker VMs To ensure high availability (HA) in delivering services running on the Broker VM, Cortex XDR now includes a Broker VM HA Cluster, which is designed to provide redundancy of the Broker VM components in your network. The Broker VM HA Cluster eliminates the single node as a point of failure in multiple scenarios, such as failed hardware or software crashes, provides high availability and load balancing, and allows streamlined maintenance and upgrades. |
Salesforce.com Data collector (Requires a Cortex XDR Pro per GB license) With the new native Salesforce.com integration, Cortex XDR can now ingest Salesforce Audit Trail and Security Monitoring events. This includes events such as login history and security events, that are critical for effective monitoring. |
Dashboard Drilldowns (Requires a Cortex XDR Pro license) New Dashboard drilldowns provide users with interactive data insights when clicking on data points, table rows, or other visualization elements. Drilldowns can link to an XQL search, a custom URL, other dashboards, or a report. You can create drilldowns in XQL widgets. |
New Broker VM image Cortex XDR includes a new image for the Broker VM with an updated operating system (Ubuntu 20.04). |
The Cortex XDR 3.7 and Cortex XDR Agent releases include the following enhancements:
INVESTIGATION AND RESPONSE | |
Identity Threat Module - Risk Score Normalization | To enable a better understanding of the risk score of an asset in the Identity Threat Module, Cortex XDR includes a risk level severity in the API. The severity categories are Low, Medium, or High, based on a deep analysis of the incidents in which the asset participated. |
Cortex XDR Automation Enhancements | To expand the current automation capabilities of Cortex XDR:
|
Automatic Enrichment For Asset Role Tags in Alerts and Incidents | Cortex XDR now supports automatic enrichment for asset role tags for quick asset role extraction during incident response activities. |
ENDPOINT SECURITY | |
Malware Security Profile Capabilities for macOS | The Local File Threat Examination security module is now available for macOS. This provides extra protection for the agent and can optionally quarantine malicious files and terminate malicious processes on the endpoint. |
Applying BIOC Rules to Prevention | To provide you with more granularity, Cortex XDR now enables you to manage detection separately from prevention when disabling a BIOC rule. |
Agent Isolation (Linux) | You can now cancel the option to isolate an agent if the connection with the managing server is lost after a defined period of time. |
Password Strength Requirement for Uninstall Password for Agent | To enhance Cortex security measures, a new password strength requirement is now enforced for Uninstall Password in the Agent settings profile. |
FORENSICS | |
Triage Public API | Cortex XDR has added an API for initiating forensic triage actions. |
AnyDesk Log Support for Forensics | The forensics add-on now includes two new remote access artifacts: AnyDesk Trace Logs and AnyDesk Connection Logs. The addition of these artifacts expands the Cortex XDR ability to identify attacker infiltration and persistence within a network. |
EXTERNAL DATA INGESTION AND MANAGEMENT | |
Data Ingestion Metrics (Requires a Cortex XDR Pro per GB license) | New metrics with improved precision in tracing data collection. These metrics are saved in the |
Okta Data Collector (Requires a Cortex XDR Pro per GB license) | Additional Okta data collector event types have been added, and are now saved in the saas_audit_logs dataset. |
Enhanced Event Forwarding Capability (Requires a Cortex XDR Pro license and an Event Forwarding add-on license) | The Google Pub/Sub subscription has been implemented to ensure that you can download each file only once. |
Parsing Rules Improved Error Reporting for Data Collection (Requires a Cortex XDR Pro per GB license) | The |
NGFW Log Ingestion enhancements (Requires a Cortex XDR Pro per GB license) | As part of the enhancements to the integration of NGFW through the native Cortex XDR data lake, NGFW log ingestion was also enhanced.
|
Improved Monitoring and Documentation of Integration Errors (Requires a Cortex XDR Pro per GB license) | Cortex XDR now displays all API errors for data collectors on the Collection Integrations page. Each time an integration instance changes its status, an audit entry is added to the new |
Run Queries on Rewarmed Data at No Additional Cost (Requires a Cortex XDR Pro license) | Cold storage queries are now faster and more efficient due to an improved data rewarm algorithm. Rewarmed data is saved in a temporary hot storage cache that is available for subsequent queries on the same time-range at no additional cost. |
XDR COLLECTORS Windows 1.4.0.992 and Linux 1.4.0.907 For more information on maintenance releases, see Maintenance Releases | |
XDR Collectors Log Monitoring (Requires a Cortex XDR Pro per GB license) | To monitor the collection health of the XDR Collectors, Cortex XDR now provides an out-of-the-box template that collects log files in a designated dataset, |
BROKER VM Version 20.0.96 For more information on maintenance releases, see Maintenance Releases. | |
Broker VM Configuration Import | You can now copy the configuration of a Broker VM to another Broker VM. This also includes applet settings. NoteSupported from Broker VM version 20.0 and later |
Broker VM Local Agent Settings Applet with 50K Agents | Each Local Agent Settings applet on the Broker VM now supports up to 50,000 agents, as opposed to only 10,000. |
Timestamp Format Retrieval Value in the Database Collector Applet. (Requires a Cortex XDR Pro per GB license) | You can now configure the retrieval value for a timestamp as an integer or a string. The following string timestamp formats are now supported:
|
CORTEX QUERY LANGUAGE (XQL) | |
Cortex XQL Schema Reference Guide | The Cortex XQL Schema Reference Guide has been improved to provide the latest fields and field descriptions available in the xdr_data dataset. |
XQL Boolean Operator (Requires a Cortex XDR Pro license) | The Cortex Query Language (XQL) now includes a new boolean |
XQL Function for Ordering Fields by Popularity (Requires a Cortex XDR Pro license) | Cortex Query Language (XQL) now supports a column order function with the view stage. You can use this function when building a query and want to show results that contain empty fields with a null value last. NoteThis option only applies within the Query Builder. Other XQL-based based functions within the system do not support this configuration. |
XQL getrole Stage for Enriching Events with Specific Roles (Requires a Cortex XDR Pro license) | Cortex Query Language (XQL) now includes a NoteThis stage is unsupported in BIOCs and real-time Correlation Rules. |
GATEWAY | |
Gateway Supports View and Manage User-Groups Across All Products | To expand the current gateway capabilities, you can view and manage user-groups across all products. |
Gateway Supports View and Manage RBAC Settings Across All Products | To expand the current gateway capabilities, you can view and manage tenants and role-based access control (RBAC) settings across all products. |
GENERAL | |
Support Encryption for Download Files | To improve security measures, you can configure a password for all files that were downloaded during an investigation by the Cortex XDR agent. |