September 2024 - Release Notes - Cortex XDR - Cortex - Security Operations

Cortex XDR Release Notes

Product
Cortex XDR
Creation date
2024-07-16
Last date published
2024-10-27
Category
Release Notes

This section describes the new features and updates of the Cortex XDR 3.12 and Cortex XDR Agent 8.6 release.

The Cortex XDR 3.12 and Cortex XDR Agent 8.6 release includes the following highlights:

FEATURE

DESCRIPTION

New Enterprise Multi-Tenant & MSSP licensing model

Introducing a new Enterprise Multi-Tenancy and Managed Security Service Providers (MSSPs) licensing model for Cortex XDR, streamlining the license management and monetization of child tenants.

The new license allows MSSPs to own and manage child tenants on demand directly from the Gateway, in addition to the existing MSSP model.

For Enterprise Multi-Tenancy administrators, the model provides a productized data segregation solution, offering greater flexibility when managing different business units.

Enhanced Palo Alto Networks NGFW integration process

To streamline Palo Alto Networks NGFW Integrations, Cortex XDR now supports the onboarding of NGFW from multiple CSP accounts.

Customers with multiple accounts can connect all of their accounts into a single Cortex tenant, ensuring the completeness of their data and also leverage the capabilities we offer through our native collector.

Windows support for Cortex XDR agent for Cloud

The Prisma cloud vulnerability and compliance scanner integrated with the Cortex XDR agent now provides a unified agent that gives runtime security including vulnerability and compliance for Windows, matching the functionality on Linux-based operating systems.

Windows Cortex XDR agent's security alerts and vulnerability data are now seamlessly forwarded and displayed in the Prisma console, enhancing comprehensive cloud security management without requiring special configuration.

AI-powered PowerShell examination

AI-based PowerShell script examination is now available in the Windows Malware Profile as part of our local analysis, providing additional security measures and flexibility to block, quarantine, or report malicious files.

Streamlined control over Linux operational mode

The Agent Operation Mode setting in the Linux Agent Settings Profile is available now, enabling administrators to select a Userspace fallback mode when Kernel Mode is unavailable.

This fallback mode allows administrators to balance performance and stability according to their needs while enhancing customization and control over agent operations.

The Cortex XDR 3.12 and Cortex XDR Agent 8.6 release includes the following enhancements:

General

FEATURE

DESCRIPTION

Export&Import Correlation Rules, Dashboards, and Report Templates

 

You can now export and import correlation rules, dashboards, and report templates in a JSON format through the user interface. Easily transfer configurations between different environments, whether for onboarding, migration, backup, or sharing.

Generic Persistence Analytics

Cortex XDR introduces advanced analytics-based generic detection suites to trigger alerts for start-up persistence techniques used by threat actors. These suites can point to the abused persistence mechanism and aid in the hunt for novel persistence techniques by identifying anomalous process execution on startup.

Analytics Tags Highlights

Cortex XDR has updated the detectors inventory, introducing new analytics into both new and existing tags.

  • Cloud Lateral Movement Analytics: Detects abnormal usage patterns of cloud-native services and capabilities, identifying techniques attackers use to move laterally within a cloud environment after initial access.

  • Cloud Serverless Function Credentials Theft Analytics: Detects attempts to use stolen credentials from cloud serverless functions, identifying unusual usage patterns to prevent unauthorized access and malicious activities within the cloud environment.

  • NDR SSH Analytics (new): Detects SSH anomalies using enhanced application logging and Analytics capabilities to identify techniques used by attackers for lateral movement.

  • NDR FTP Analytics (new): Detects FTP anomalies using enhanced application logging and Analytics capabilities to identify techniques used by attackers for authentication and impersonation.

  • LDAP Analytics (Server): Detects abnormal LDAP activity on domain controllers, identifying Active Directory enumeration attempts and potential attacks targeting directory services.

  • LDAP Analytics (Client): Detects abnormal LDAP activity on client machines, identifying suspicious queries and potential Active Directory enumeration attacks.

  • LDAP Analytics: Detects abnormal LDAP activity to identify Active Directory enumeration and potential attacks.

  • Honey User Analytics: Detects interactions with accounts tagged as decoy honey users, accounts crafted to appear legitimate, designed to lure attackers and expose malicious activity.

  • Okta Audit Analytics: Detects unusual audit activity within Okta to prevent unauthorized access, suspicious actions, and potential security misconfigurations.

  • O365 DLP Analytics: Detects activity involving DLP-sensitive data within Microsoft Office 365 to detect data leaks and unauthorized access to sensitive information.

In-product support case

Cortex XDR now attaches the license JSON file when creating in-product support cases, streamlining the support process for efficient handling of licensing-related issues.

New search field on the Configurations page

A new search field on the Configurations page provides a fast and easy search of your configuration options.

Investigation and response

FEATURE

DESCRIPTION

Cortex XDR auditing

Cortex XDR now enables you to audit and query Cortex authentication logs and activity logs, using Auth and SaaS stories respectively, to track and trigger alerts about attacks that target Cortex XDR.

Detection rules

FEATURE

DESCRIPTION

Enhanced preconfigured alert fields mapping in Correlation Rules

Cortex XDR has enhanced the preconfigured alert fields mappings when creating or editing Correlation Rules in the Alerts Fields Mapping section, so that each preconfigured field that is automatically mapped is clearly presented in the user interface.

New Honey User asset role

Cortex XDR introduces a new asset role, Honey User, to help detect intrusion and exploitation attempts in your network. A Honey User is a decoy user that looks attractive to potential attackers, with access to many assets. You can configure users with the Honey User asset role to trigger alerts when there is an attempt to use the credentials of these users.

Endpoint security

FEATURE

DESCRIPTION

Device control enhancements

Device control profiles for Windows endpoints now provide granular control for both Classic Bluetooth and Bluetooth Low Energy (BLE) devices. Permanent and temporary exceptions can also be configured. This additional control hardens communication with these types of peripheral devices.

Device control violation notifications

Under the User Interface settings, device control violation notifications may be disabled or enabled on endpoints running agent version 8.6 and above. Notifications displayed on the agent are enabled by default.

New exception configuration - Disable Prevention and Injection

Cortex XDR has added the exception configuration 'Disable Prevention and Injection'. This enables you to quickly address process issues. You can temporarily implement an exception rule to bypass a process from prevention modules and injections. Alerts are still generated from data collections.

XDR Collectors

Windows 1.4.2.1373 and Linux 1.4.2.1302

For more information on maintenance releases, see Maintenance Releases.

FEATURE

DESCRIPTION

XDR Collectors 1.4.2

This release includes performance improvements and bug fixes.

Broker VM

Version 25.0.44 (reboot required)

For more information on maintenance releases, see Maintenance Releases.

FEATURE

DESCRIPTION

Broker VM 25.0.44

This release includes performance improvements and bug fixes.

External data ingestion and management

FEATURE

DESCRIPTION

Improved handling of NGFW log ingestion in CEF format

Palo Alto Networks NGFW logs ingested in CEF format using the Syslog collector provide similar protection, out-of-the-box data modeling and analytics to logs ingested into Strata Logging Service (SLS). This ingestion option can be used when NGFW devices are in locations that are not supported by SLS, or when bandwidth issues are encountered due to large log size.

Improved email ingestion flows for GSuite

Enhanced Gmail collection capabilities now collect data from a list of email addresses, instead of from compliance email. This enhancement provides you with the flexibility to only collect a subset of the mailboxes or distribution lists used in your environment.

Improved email ingestion flows for Microsoft 365

The new Microsoft 365 (formerly Office 365) email collector provides easy set up. Emails are fetched through the API, using an authorized app in your Microsoft Azure tenant, so that a compliance mailbox is no longer required.

Cortex Query Language (XQL)

FEATURE

DESCRIPTION

New XQL windowcomp stage and functions

(Requires a Cortex XDR Pro license)

Cortex Query Language (XQL) now supports a new windowcomp stage that precedes functions calculating statistics. The results compute values over a group of rows and return a single result for each row. This stage includes the following functions:

  • Numbering functions, such as rank and row_number

  • Navigation functions, such as first_value and last_value

  • Statistical aggregate functions, such as stddev_sample and stddev_population

  • Aggregate functions, such as avg and sum

Read more in windowcomp.

New XQL array_any and array_all functions

(Requires a Cortex XDR Pro license)

Cortex Query Language (XQL) now supports the following new array functions:

  • array_any: Returns true when at least 1 element in a particular array matches the condition in the specified array element. Read more in array_any.

  • array_all: Returns true when all the elements in a particular array match the condition in the specified array element. Read more in array_all.

API

FEATURE

DESCRIPTION

XQL query quotas

New return fields in /public_api/v1/xql/get_quota increase visibility of XQL query quotas for XQL queries run using the public API.

The Cortex XDR 3.12 and Cortex XDR Agent 8.6 release includes the following changes to existing functionality:

COMPONENT

AREA

DESCRIPTION

Top Incidents widget

Widget Library

The Top Incidents widget has been renamed to Top Open Incidents. This widget appears on the Incident Management dashboard.