April 2025 - Release Notes - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Release Notes
Product
Cortex XSIAM
Creation date
2025-09-18
Last date published
2025-11-23
Category
Release Notes

This section describes the new features and updates of the Cortex XSIAM 3.1 release.

Release highlights

The Cortex XSIAM 3.1 release includes the following highlights:

FEATURE

DESCRIPTION

Cross-region support in multi-tenant architectures

Cross-region tenant pairing enables multi-tenant organizations to pair their parent and child tenants across different geographic regions, providing enhanced visibility and control for distributed security operations. To enable this capability, please contact your Palo Alto Networks account team.

AI Detection & Response (Beta)

Gain visibility into usage of AI/ML in the cloud using a new dedicated dashboard that also presents related issues and cases. New detectors analyze cloud audit logs from AWS, Azure, and GCP to find AI-specific threats.

New and enhanced dashboard visuals and capabilities

The latest batch of enhancements introduces multiple new and updated widgets and controls—including single-click multi-column and multi-line charts—making it easier to visualize, organize, compare, and filter data, and quickly turn your data into actionable insights.

Ingest data into Cortex XSIAM using Cribl Stream (Beta)

A new integration offers XSIAM customers an option to leverage Cribl for data pipeline management, delivering a seamless experience and simplifying data onboarding for Cribl customers.

New Graph Search in Query Builder (Beta)

(Requires the Cortex XSIAM Premium license or the Cortex Cloud Posture Management add-on)

Drive SecOps convergence and improve threat detection and response with a new Graph Search feature embedded in the Query Builder. Graph Search provides an interactive and visually intuitive way to map out and explore the full stack of an organization’s posture and the associated risks it drives. This enables security teams, from code to cloud to SOC, to more efficiently understand attack paths, discover hidden risks, and make informed decisions in less time, leading to improved security posture and operational efficiency.

Feature enhancements

The Cortex XSIAM 3.1 release includes the following enhancements.

General

FEATURE

DESCRIPTION

Egress configuration additions for onboarding

Improving Egress Configurations in the Cortex Gateway now allows users to request and approve outbound connections during the onboarding process, streamlining setup and reducing pre-configuration requirements.

Enhanced AI case searches with Cortex Copilot

Cortex Copilot abilities are enhanced with the support of the case entity. This simplifies case investigation and remediation by providing you with the most relevant incident information and Cortex Copilot's recommendations for investigation and response.

Expanded visibility into the Asset Inventory

Discover comprehensive visibility with our newly enhanced Asset Inventory, now featuring an updated look and streamlined interface. Manage all your assets including enterprise, multi-cloud, code, and external surface, in one centralized location with ease and efficiency.

Vulnerability management enhancements

(Requires a Cortex XSIAM Premium license, or the ASM or Cortex Cloud Posture Management add-on)

  • Vulnerability fix dates: Vulnerability Intelligence now includes a fix date for each vulnerability.

  • Base Image Filtering: Filter and exclude vulnerabilities found in base images in issues, dashboards, reports, and policies.

  • New dashboard widgets: New time-based and content-based filters, and new widgets for vulnerable base images and packages.

Investigation and response

FEATURE

DESCRIPTION

New Cortex Command Center

(Requires a Cortex XSIAM Premium license)

Gain complete visibility across your cloud and enterprise assets with the new Cortex Command Center—a unified view that integrates cloud security and SOC insights to identify posture risks and runtime threats across your environment. With a comprehensive breakdown of assets by class, provider, and region, you can easily assess each asset's posture and security status, and uncover blind spots.

Simplified automation workflow and management

Experience an enhanced and simplified automation workflow from the new overhauled Playbooks page, allowing fast and easy automation implementation and management:

  • Manage the entire automation development flow from within the playbook editor, including creating and editing tasks, configuring Automation Rules to trigger the playbook, and setting up all relevant integrations.

  • Discover automation opportunities for your SOC with the new Playbook Catalog that includes all of Cortex's available out-of-the-box playbooks, including a visual preview and description of every playbook. From the Playbook Catalog, you can adopt playbooks for use in your organization.

  • Easily view and access playbooks used in your organization, represented in the new "Org Playbooks" list.

  • Playbook triggers are replaced by Automation Rules, which now enable you to trigger not only playbooks but also Quick Actions to run a single command, such as isolating an endpoint, making it easier to provide a targeted response to incoming issues.

Quick Actions

Provide rapid and efficient response with Quick Actions, single commands requiring minimal configuration, tailored to specific module needs, that can now be added to playbooks, triggered by automation rules, or run manually on one or more issues.

Third-party issue backlink support

When alerts from a third-party vendor are reported to Cortex XSIAM, once this feature is configured, you can pivot from the Issues page to the third-party reporting system, directly to the relevant context, at the click of a button.

Automated script triggers for issue field updates

Automatically trigger scripts to run whenever an issue field is updated, enhancing automation and efficiency.

Disable automatic indicator extraction and enrichment

(Requires a Threat Intel Management (TIM) Add-on)

You can now choose whether to disable automatic indicator extraction from issue fields. Disabling automatic extraction can prevent redundant extraction and enrichment, improve performance, and reduce the use of API calls to third-party services, enabling better quota management. Automatic indicator extraction and enrichment can be enabled and disabled in the Server Settings.

Detection rules

FEATURE

DESCRIPTION

Granular exception handling with automated recommendations

Enhanced exception capabilities allow you to define precise exceptions for a specific scenario or leverage Cortex XSIAM’s automated recommendations ensuring smoother operations without compromising on security.

New analytics suites

Cortex XSIAM has introduced the following new advanced Analytics detection suites:

  • Webshell Analytics: Detects webshells being installed and executed.

  • Microsoft SCCM Analytics: Detects unusual or suspicious activity within Microsoft System Center Configuration Manager (SCCM) environments.

  • Active Directory Certificate Services Analytics: Detects anomalous behavior within Active Directory Certificate Services (AD CS).

  • Cloud Data Asset Analytics: Detects anomalous behavior involving data assets as public exposure, exfiltration, protection tampering, configuration, and disaster recovery risks.

Endpoint security

FEATURE

DESCRIPTION

VBScript file examination module

(Requires a Cortex XSIAM Premium or Cortex XSIAM Enterprise license)

Strengthened defense against advanced threats by using an ML-based protection model for the XDR agent on Windows that can detect and prevent adversary techniques using VBscript files at the execution stage.

XDR Collectors

XDR Collectors 1.5.0: Windows 1.5.0.1733 and Linux 1.5.0.1695

XDR Collectors 1.4.3: Windows 1.4.3.1686

For more information on maintenance releases, see Maintenance releases.

FEATURE

DESCRIPTION

XDR Collectors 1.5.0 and 1.4.3

This release includes performance improvements and bug fixes.

Broker VM

Version 27.0.47 (reboot required)

For more information on maintenance releases, see Maintenance releases.

FEATURE

DESCRIPTION

Broker VM 27.0.47

This release includes performance improvements and bug fixes.

Cortex Query Language (XQL)

FEATURE

DESCRIPTION

Enhanced XQL time picker

When building Cortex Query Language (XQL) queries, the time picker now includes:

  • Additional time range options to easily select from, such as last 5 minutes and last 3 hours.

  • Recently used selections from your previous queries.

XQL auto-suggestion improvements

When creating a Cortex Query Language (XQL) query, you can now:

  • Use the up and down arrow keys to navigate through the auto-suggestion commands and definitions.

  • Select an auto-suggestion command by pressing either the Enter or Tab key.

  • Press Shift+Enter to add a new line, and easily ignore the auto-suggestion output.

  • Close the auto-suggestion output by pressing the Esc key.

New datasets for XQL queries

New customers can leverage XQL for flexible and adjustable indicator, playbook, and script tracking. The following datasets are available for querying and dashboards:

  • Playbook tasks (playbook_tasks)

  • Playbook runs (playbook_runs)

  • Scripts and commands metrics (scripts_and_commands_metrics)

  • For TIM customers - Indicators (indicators)

  • For TIM customers - Indicator relationships (indicator_relationships)

Dashboards

FEATURE

DESCRIPTION

New widget capabilities

Dashboard and report widgets are enhanced with the following new capabilities:

  • Create dynamic widgets for more complex calculations using new script widgets.

  • Format your text using Markdown with the free Text and Script widgets.

  • Present time and duration-based results in your widgets with new time fields in the widget chart editor.

  • Refresh individual widgets on demand, while gaining visibility with an improved last updated status.

New XQL series based graph results in Widgets

Custom Cortex Query Language (XQL) widget creation now supports the Series parameter in the Chart Editor. This feature allows users to specify a field (column) to group data by and will visualize field value distributions or compare category trends over time. Additionally, the Series parameter is now integrated into the view graph type stage for improved functionality.

API

FEATURE

DESCRIPTION

ASM asset removal API

(Requires the ASM add-on)

Manage your external surface inventory more efficiently with a new API that enables you to remove external IP address ranges, paid-level domains, subdomains, and certificates from your inventory, as needed.

API Security

FEATURE

DESCRIPTION

Real-time API threat detection and prevention with Cortex XDR agent

(Requires a Cortex XSIAM Premium or Cortex XSIAM Enterprise license)

Cortex XDR agent can now detect and block malicious API requests and risky API responses in real-time, and provides continuous endpoint monitoring and protection against malicious event chains.

Attack Surface Management

Requires the ASM add-on.

FEATURE

DESCRIPTION

CISA KEV vulnerability testing

Attack surface tests are now available for all CISA KEV CVEs that are externally detectable, do not require authentication, and can be exploited without any risks to the availability or integrity of the running application.

This totals over 260 different vulnerabilities known to be actively exploited in the wild, 190 of which have a CVSS score of 9.0 or higher. As with all Attack Surface Tests, these checks perform full benign exploitation of a given vulnerability to produce confirmations of exploitation with near certainty.

Default credential testing

Introducing 40+ new attack surface tests focused on the detection of applications leveraging manufacturer default credentials. These tests include checks for default credentials on a number of business operations systems as well as IT and networking devices.

Operating system identification

Cortex XSIAM now supports fingerprinting multiple different operating systems and version details for internet-facing applications.

Vulnerability findings for high confidence inferred CVEs

Cortex XSIAM will now generate findings for high-confidence CVE inferences based on exact version matches between a CVE and the software observed on an ASM-discovered service.

ASM asset context in issue details

ASM asset context is now available on the details panel for ASM issues.

Changed Features

The Cortex XSIAM 3.1 release includes the following changes to existing functionality:

COMPONENT

AREA

DESCRIPTION

Cortex XDR agent

Installation packages

From Cortex XDR agent version 8.8 and later, 32-bit Windows installers for Cortex XDR agent are not supported.

K8s-based Cortex XDR agents

Upgrades

K8s-based Cortex XDR agents cannot be upgraded automatically, and do not occupy a slot in the auto-upgrade pool.

Legacy Asset Inventory

Data sources

The following data sources are now deprecated or offer limited functionality:

  • Cloud Inventory

  • Prisma Cloud

Onboard all cloud data sources from scratch in your upgraded Cortex XSIAM 3.1 tenant to ensure the Asset Inventory displays the new cloud data sources.