This section describes the new features and updates of the Cortex XDR 3.11 and Cortex XDR Agent 8.5 release.
The Cortex XDR 3.11 and Cortex XDR Agent 8.5 release includes the following highlights:
FEATURE | DESCRIPTION |
---|---|
Shellcode AI Protection Module | Shellcode AI Protection Module: New Precision AI™ machine learning rules are being rolled out to prevent in-memory shellcode attacks in Windows. |
Dynamic Kernel Protection Module | New protection module implemented at the kernel level, which loads during the boot process to protect against kernel-level threats like bootkits, rootkits, and susceptible drivers. |
Crypto Wallet BTP Support | An update to the behavioral threat protection (BTP) rules in the Financial Malware protection module now prevents attackers trying to steal or manipulate cryptocurrency wallets stored on Windows and MacOS hosts. |
Revamped Causality Chain Interface | To enable faster and more intuitive investigations, the alert Causality Chain interface has been revamped. It now provides easier access to key information about each stage of the causality chain, improving analyst workflows. |
Enterprise Multi-Tenant & MSSP Flexible License Model (Beta) | Enterprises and MSSPs who require multiple XDR tenants now have access, through our Beta program, to their own pool of XDR licenses which they can allocate to end-customers, subsidiaries, and business units as needed, using Cortex Gateway for central management of all their tenants. |
The Cortex XDR 3.11 and Cortex XDR Agent 8.5 release includes the following enhancements:
General
FEATURE | DESCRIPTION |
---|---|
Analytics Tags Highlights | Cortex XDR has updated the detectors inventory, introducing new analytics into both new and existing tags:
|
Investigation and Response
FEATURE | DESCRIPTION |
---|---|
Combined alerts using correlation rules (Requires a Cortex XDR Pro license) | Using the |
Endpoint Security
FEATURE | DESCRIPTION |
---|---|
Device control enhancements | Device control profiles for Windows and macOS endpoints now provide granular control for print jobs, in certain conditions. This additional control hardens communication with these types of peripheral devices or operations. |
Benign with low confidence actions | On macOS-based endpoints, new actions are available for executable files that are reported as “benign with low confidence”. This feature adds more granularity to malware detection, and provides enhanced protection against potentially malicious files. |
XDR Collectors
Windows 1.4.1.1100 and Linux 1.4.1.1089
For more information on maintenance releases, see Maintenance Releases.
FEATURE | DESCRIPTION |
---|---|
XDR Collectors 1.4.1 | This release includes performance improvements and bug fixes. |
Broker VM
Version 24.2.8
For more information on maintenance releases, see Maintenance Releases.
FEATURE | DESCRIPTION |
---|---|
New ability to increase Broker VM disk size | Cortex XDR now supports extending the disk space allocated for data caching in the Broker VM to attain better resilience during network and connectivity issues. Read more in Increase Broker VM storage allocated for data caching. |
External Data Ingestion and Management
FEATURE | DESCRIPTION |
---|---|
Update lookup datasets using Correlation Rules (Requires a Cortex XDR Pro license) | Cortex XDR now enables updating lookup datasets using Correlation Rules. This includes adding and removing lookup entries so you can better correlate data from a data source you provide with the events in your environment. Read more in Create a Correlation Rule. |
Update lookup datasets using the API | Cortex XDR now supports using the API to update lookup datasets, which makes it easier to correlate data from the data source to the events in your environment. The following new APIs are supported:
|
Cortex Query Language (XQL)
FEATURE | DESCRIPTION |
---|---|
New XQL standard deviation comp aggregate functions (Requires a Cortex XDR Pro license) | Cortex XDR now supports using the following XQL standard deviation (STD) comp aggregate functions:
|
Aligned XQL stages descriptions, syntax, and XQL Helper (Requires a Cortex XDR Pro license) | The XQL query stages, syntax descriptions, and descriptions in the XQL Helper in Cortex XDR are now aligned with the descriptions found in the Cortex XDR XQL Language Reference guide. This ensures that the same information is provided in all places. |
Enhancements to XQL (Requires a Cortex XDR Pro license) | Cortex Query Language (XQL) now supports defining multiple CIDRs with comma separated syntax in the following functions and operators:
NoteThese changes are only supported building a XQL query with the Query Builder or in Correlation Rules. |
Forensics
FEATURE | DESCRIPTION |
---|---|
Support Browser Collections in Agent for macOS | Cortex XDR now supports Web History searches in Forensic Hunts. Browsers supported are Chrome, Edge, Firefox, Internet Explorer, and Safari along with custom searches for any Chromium-based browser. |
The Cortex XDR 3.11 and Cortex XDR Agent 8.5 release includes the following changes to existing functionality:
COMPONENT | AREA | DESCRIPTION |
---|---|---|
Syslog server configured with for Event Notification Forwarding (Requires a Cortex XDR Pro license and Event Forwarding add-on license) | External data ingestion and data management | Cortex XDR infrastructure is now upgraded. As a result, OpenSSL versions past end-of-life prior to 1.1.1 are no longer supported. This change relates specifically to the Syslog server configured in your environment for Event Notification Forwarding. Going forward, the OpenSSL 1.1.1 version and later are supported. If your Syslog server is running an older OpenSSL version, you should upgrade the Open SSL version immediately to avoid disruptions. |
filter stage (Requires a Cortex XDR Pro license) | XQL | Cortex XDR has changed the behavior of using triple double quotes in a Cortex Query Language (XQL) |
Email structure of forwarded alerts | Forwarded Alert Emails | When an alert is forwarded in an email, the full alert JSON file is now attached to the email and not embedded inside the email body.The email body now includes the following fields:
The attached JSON file’s content includes, with no changes, the rest of the alert information. |