June 2024 - Release Notes - Cortex XDR - Cortex - Security Operations

Cortex XDR Release Notes

Product
Cortex XDR
Creation date
2024-07-16
Last date published
2024-10-27
Category
Release Notes

This section describes the new features and updates of the Cortex XDR 3.11 and Cortex XDR Agent 8.5 release.

The Cortex XDR 3.11 and Cortex XDR Agent 8.5 release includes the following highlights:

FEATURE

DESCRIPTION

Shellcode AI Protection Module

Shellcode AI Protection Module: New Precision AI™ machine learning rules are being rolled out to prevent in-memory shellcode attacks in Windows.

Dynamic Kernel Protection Module

New protection module implemented at the kernel level, which loads during the boot process to protect against kernel-level threats like bootkits, rootkits, and susceptible drivers.

Crypto Wallet BTP Support

An update to the behavioral threat protection (BTP) rules in the Financial Malware protection module now prevents attackers trying to steal or manipulate cryptocurrency wallets stored on Windows and MacOS hosts.

Revamped Causality Chain Interface

To enable faster and more intuitive investigations, the alert Causality Chain interface has been revamped. It now provides easier access to key information about each stage of the causality chain, improving analyst workflows.

Enterprise Multi-Tenant & MSSP Flexible License Model (Beta)

Enterprises and MSSPs who require multiple XDR tenants now have access, through our Beta program, to their own pool of XDR licenses which they can allocate to end-customers, subsidiaries, and business units as needed, using Cortex Gateway for central management of all their tenants.

The Cortex XDR 3.11 and Cortex XDR Agent 8.5 release includes the following enhancements:

General

FEATURE

DESCRIPTION

Analytics Tags Highlights

Cortex XDR has updated the detectors inventory, introducing new analytics into both new and existing tags:

  • Chromium Extensions Analytics (New) - Detection of malicious browser extensions being loaded or installed, identifying anomalous extensions and installation methods.

  • Malicious Service Analytics (New) - Detection of malicious services being loaded or installed.

  • NDR Lateral Movement Analytics - Advanced lateral movement detection, leveraging Analytics capabilities to identify anomalies in protocols that are used for lateral movement.

  • NDR C2 Analytics - Advanced detection for abnormal network communication that resembles C2 traffic using protocols analysis, local and cross-customer machine learning, and threat intel.

Investigation and Response

FEATURE

DESCRIPTION

Combined alerts using correlation rules (Requires a Cortex XDR Pro license)

Using the transaction stage in scheduled correlation rules, you can now group events that come from different datasets to trigger a combined alert.

Endpoint Security

FEATURE

DESCRIPTION

Device control enhancements

Device control profiles for Windows and macOS endpoints now provide granular control for print jobs, in certain conditions.

This additional control hardens communication with these types of peripheral devices or operations.

Benign with low confidence actions

On macOS-based endpoints, new actions are available for executable files that are reported as “benign with low confidence”. This feature adds more granularity to malware detection, and provides enhanced protection against potentially malicious files.

XDR Collectors

Windows 1.4.1.1100 and Linux 1.4.1.1089

For more information on maintenance releases, see Maintenance Releases.

FEATURE

DESCRIPTION

XDR Collectors 1.4.1

This release includes performance improvements and bug fixes.

Broker VM

Version 24.2.8

For more information on maintenance releases, see Maintenance Releases.

FEATURE

DESCRIPTION

New ability to increase Broker VM disk size

Cortex XDR now supports extending the disk space allocated for data caching in the Broker VM to attain better resilience during network and connectivity issues. Read more in Increase Broker VM storage allocated for data caching.

External Data Ingestion and Management

FEATURE

DESCRIPTION

Update lookup datasets using Correlation Rules

(Requires a Cortex XDR Pro license)

Cortex XDR now enables updating lookup datasets using Correlation Rules. This includes adding and removing lookup entries so you can better correlate data from a data source you provide with the events in your environment. Read more in Create a Correlation Rule.

Update lookup datasets using the API

Cortex XDR now supports using the API to update lookup datasets, which makes it easier to correlate data from the data source to the events in your environment. The following new APIs are supported:

  • add_data - Adds or updates data in a lookup dataset

  • remove_data - Removes data from a lookup dataset

  • get_data - Gets data from a lookup dataset

  • add_dataset - Adds a lookup dataset

  • delete_dataset - Deletes a dataset

  • get_datasets - Gets a list of available datasets

Cortex Query Language (XQL)

FEATURE

DESCRIPTION

New XQL standard deviation comp aggregate functions

(Requires a Cortex XDR Pro license)

Cortex XDR now supports using the following XQL standard deviation (STD) comp aggregate functions:

  • stddev_pop: Returns the population (biased) variance of a field.

  • stddev_sample: Returns the sample (unbiased) standard deviation of a field.

Aligned XQL stages descriptions, syntax, and XQL Helper

(Requires a Cortex XDR Pro license)

The XQL query stages, syntax descriptions, and descriptions in the XQL Helper in Cortex XDR are now aligned with the descriptions found in the Cortex XDR XQL Language Reference guide. This ensures that the same information is provided in all places.

Enhancements to XQL incidr and incidr6 functions and operators

(Requires a Cortex XDR Pro license)

Cortex Query Language (XQL) now supports defining multiple CIDRs with comma separated syntax in the following functions and operators:

  • incidr and incidr6 functions, where it is now possible to run the function on comma separated CIDRs.

  • incidr, not incidr, incidr6, and not incidr6 operators, where it is now possible to run the operator on comma separated CIDRs.

Note

These changes are only supported building a XQL query with the Query Builder or in Correlation Rules.

Forensics

FEATURE

DESCRIPTION

Support Browser Collections in Agent for macOS

Cortex XDR now supports Web History searches in Forensic Hunts. Browsers supported are Chrome, Edge, Firefox, Internet Explorer, and Safari along with custom searches for any Chromium-based browser.

The Cortex XDR 3.11 and Cortex XDR Agent 8.5 release includes the following changes to existing functionality:

COMPONENT

AREA

DESCRIPTION

Syslog server configured with for Event Notification Forwarding

(Requires a Cortex XDR Pro license and Event Forwarding add-on license)

External data ingestion and data management

Cortex XDR infrastructure is now upgraded. As a result, OpenSSL versions past end-of-life prior to 1.1.1 are no longer supported. This change relates specifically to the Syslog server configured in your environment for Event Notification Forwarding.

Going forward, the OpenSSL 1.1.1 version and later are supported. If your Syslog server is running an older OpenSSL version, you should upgrade the Open SSL version immediately to avoid disruptions.

filter stage

(Requires a Cortex XDR Pro license)

XQL

Cortex XDR has changed the behavior of using triple double quotes in a Cortex Query Language (XQL) filter stage with (or without) wildcards, such as | filter <field> = """<text>*""" or | filter <field> in ("""<text>*""", "<text>", "<text>*"). Currently, when using triple double quotes, the query results only include results that exactly match the prefix <text> results, as opposed to previously when the results would display results containing the prefix <text> results. Using single double quotes with the filter stage, now returns the results that contain the <text> specified. Therefore, this change will impact any saved queries, so ensure any queries using this syntax are updated to reflect this behavior change.

Email structure of forwarded alerts

Forwarded Alert Emails

When an alert is forwarded in an email, the full alert JSON file is now attached to the email and not embedded inside the email body.The email body now includes the following fields:

  • Source

  • Category

  • Action

  • Host

  • Username

  • Starred Alert

  • Excluded Alert

  • Alert ID

  • Incident ID

The attached JSON file’s content includes, with no changes, the rest of the alert information.