Feature Enhancements - Release Notes - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Release Notes
Product
Cortex XSIAM
Creation date
2025-09-18
Last date published
2025-12-22
Category
Release Notes

These enhancements provide new and improved capabilities across various XSIAM modules.

General

Feature

Description

Expanded Asset Group scoping

Scope-Based Access Control (SBAC) has been enhanced to provide more granular control over your access policies. You can now define Asset Groups that include the Business Application Names attribute for scoping definitions.

New SBAC support for dataset rows

Security administrators can now define policies that grant Security Operations Center (SOC) teams access to only the relevant row data for their specific roles. This new granular scoping capability applies to product areas that reference dataset rows, such as XQL queries and custom widgets in dashboards.

API

Feature

Description

User and role APIs

These new APIs enable you to manage user roles, update API keys, and add or remove role and scope assignments for users, which gives greater flexibility to automate and scale your user management workflows.

Attack Surface Management

Feature

Description

Attack Surface Testing Intrusiveness Levels

Safely test all your environments by adjusting the intensity of exposure checks.

Alerts for Attack Surface Testing misconfiguration findings

Attack Surface Testing will now generate issues for confirmed positive misconfiguration findings, enabling you to identify and secure your attack surface against these types of risks.

Attack Surface Management dashboard

This new dashboard provides a visual overview of your attack surface and can be used for reporting or as the starting point for ASM workflows.

Global Lookup improvements

The following improvements were introduced to provide more comprehensive and actionable insights from internet scan data beyond your own attack surface:

  • View the services that have been open on a given IP address over the last 6 months.

  • Query certificate hashes (MD5, SHA1, and SHA256) in addition to IP addresses and domains.

  • Pivot to Global Lookup directly from IP addresses, domains, and certificates found in ASM or vulnerability issues.

  • View up to 30 days of data, and select up to a 30-day range to search at any point in the last 6 months.

Additional ASM enhancements

  • You can now limit access to ASM data in Cortex XSIAM with role-based access control (RBAC).

  • A new Attribution Reason field indicates whether an ASM asset was discovered or provided.

Automations

Feature

Description

Auto-populate command and Quick Action parameters

On-demand enrichment from the Unified Asset Inventory (UAI) enables commands and Quick Actions to remain dynamic and adaptable. Any attribute in the UAI, not just those hardcoded into the issue schema, can be accessed when needed for automation execution. This improves flexibility and reduces the need for playbooks to retrieve relevant data.

Notice

This feature is included with a Cortex XSIAM Premium license. It is also included with any other Cortex XSIAM license that has the Cloud Posture Management or Cloud Runtime Security add-on.

Dismiss alerts for non-configured playbook components

When setting up playbooks, you can now dismiss alerts for components you don't need, such as specific sub-playbooks, scripts, and commands. Alerts can be dismissed in both system and custom playbooks, and you do not need to edit or duplicate a system playbook to dismiss an alert. This enables you to reduce visual noise, making it easier to focus on tasks that require configuration.

Recommended Quick Actions

Recommended Quick Actions enable you to receive contextual and diverse automation recommendations directly within issue response workflows. Recommendations accelerate issue response and drive automation adoption by guiding users to the most relevant and efficient actions.

Notice

This feature is included with a Cortex XSIAM Premium license. It is also included with any other Cortex XSIAM license that has the Cloud Posture Management or Cloud Runtime Security add-on.

Unique task logos

Boost clarity and quickly distinguish between integration commands, custom scripts, and system actions with playbooks that display unique logos and content pack indicators.

Streamlined playbook development with drag-and-drop functionality

Streamline your playbook development by using drag-and-drop to build automation flows. This enables you to create and organize your playbooks faster by simply dragging tasks from the side panel directly onto the canvas.

AI Script Generator

Generate high-quality Python scripts quickly and efficiently with the AI Script Generator. It's built-in testing panel lets you validate and refine the code generated from natural language, ensuring accuracy and significantly reducing the time spent on manual development.

Choose an integration instance for Quick Actions

When running a Quick Action on demand or as part of an automation rule, you can now select a specific integration instance to use, enabling a more efficient and targeted response.

Automation health issues

New automation health issues help you quickly identify and resolve potential automation configuration issues, enabling you to maintain peak system performance.

Automation Exclusion Center enhancements

The automation exclusion center now allows for more dynamic and flexible policies:

  • Hard user remediation and soft user remediation automation exclusion policies can now reference asset groups. User accounts are automatically categorized into asset groups, eliminating the need for manual list updates and ensuring that automation exclusion policies remain up-to-date.

  • Reference multiple lists and asset groups in the same policy, providing maximum flexibility.

  • New role permissions enable you to allow non-admin users the ability to view or edit policies in the Automation Exclusion Center. Admins can delegate policy management to non-admin users without granting full admin-level system access, giving admins more time to focus on other critical responsibilities.

  • Automation Exclusion policy overrides provide greater control and responsiveness. You can now permit policy overrides on specific automation exclusion policies, enabling analysts to run commands on critical assets as needed. You can also configure policies without overrides, providing a balance of security and operational flexibility.

  • With RBAC for lists, you can now define one or more roles that can view or edit a list, mitigating the risk of unauthorized or accidental changes to lists of critical assets.

  • New condition-based policies offer more versatility and precision for enforcing automation exclusions. You can now use lists with dynamic matching operators, such as starts with, ends with, and doesn’t include. Dynamic matching operators allow you to apply automation exclusion policies to entire naming patterns, such as regional endpoints or internal domains, simplifying management and improving coverage.

Broker VM

Version 29.0.71 (reboot required)

For more information on maintenance releases, see Maintenance releases.

Feature

Description

Enhanced error visibility and auditing for additional Broker VM applets

Gain better insight into application, connectivity, and processing errors for the FTP Collector, Netflow Collector, Network Mapper, and Apache Kafka collector applets running on Broker VMs. Error messages are displayed on Apps of Broker VMs and Clusters, and applet status changes are logged in the collection_auditing dataset, enabling detailed investigations through XQL queries.

Broker VM support for Spain’s Esquema Nacional de Seguridad (ENS) National Security Framework

The Broker VM has been updated to comply with Spain’s Esquema Nacional de Seguridad (ENS) National Security Framework. You must enable the option Only use recommended cipher suites to meet the ENS regulation. This new setting is located in the Advanced Settings section, which you can access when configuring the Broker VM using its URL.

Enhanced Database Collector

The Database Collector applet now has a new Storage Method option, which offers more control over how the data is handled:

  • Append: This method adds new data to an existing dataset, as it worked previously by default.

  • Replace: This new method is only available for Snapshot datasets and overwrites the entire dataset with the newly collected data. This is necessary when the data to be collected from the database is static data or reference data, such as a list of computers, IP addresses, or a list of users.

Cortex Query Language (XQL)

Feature

Description

Enhanced XQL query monitoring and governance

Introducing significant updates to XQL query management that deliver a more responsive, holistic, and powerful Query Center experience. Key enhancements:

  • Improved performance: Experience faster and more responsive page load and filtering times in the Query Center.

  • Real-time tracking and management: Get full visibility into active queries across your tenant, with the power to instantly cancel running queries.

  • Expanded query coverage: Monitor queries from all XQL query sources, including Dashboards with XQL widgets, Correlation rules, BIOC rules, and more.

  • Administrator governance: Prevent resource strain and optimize tenant performance by setting query limits for all users.

  • New default query limit: To prevent long-running queries and ensure optimal tenant performance, queries will automatically stop after 60 minutes. (This value can be overridden using the max_runtime_minutes command.)

  • Updated query retention: Query retention is now aligned with issue retention.

Lookup datasets enhancement

Cortex XSIAM has implemented a fix to improve lookup dataset queries and provide better flexibility in managing your data. Now, when you create or add data to a lookup dataset using the target stage, the _time field won't be included by default unless you explicitly add it with the fields stage.

Detection Rules

Feature

Description

New and improved Analytics tags

New analytics suites

  • EDR Windows Disguised Processes: A novel analytics detection suite designed to detect Windows process masquerading techniques and their diverse sub-techniques, such as common process name impersonation and renaming of legitimate system utilities by attackers. The suite achieves this through its comprehensive analytic capabilities, featuring dynamic baselines and anomaly scoring.

  • EDR Linux Credential Grabbing: A behavior-based analytics detection suite to identify uncommon access to sensitive files that are frequently targeted for credential discovery. The suite monitors processes interacting with files such as SSH private keys, password and group files, shell history, and other configuration artifacts commonly used to store credentials. By analyzing access patterns across environments, the detector suite highlights rare or anomalous behavior, helping uncover otherwise unnoticed credential-harvesting activity.

  • EDR macOS Generic Persistence: An innovative analytics detection suite tailored to the macOS domain to detect unusual activities to secure a persistent foothold and execution in macOS endpoints. This suite highlights abused persistence mechanisms and supports the hunt for novel persistence techniques, commonly leveraged by macOS infostealers and APTs.

  • Microsoft Teams Analytics: An advanced analytics suite for detecting attack attempts within Microsoft Teams. The suite uncovers a broad range of different sub-techniques, such as phishing, malicious link sharing in chats, unauthorized policy modification, malicious application installation, and data collection. The suite uses dynamic baselines and anomaly scoring to provide comprehensive analytics, identifying abnormal user and communication patterns.

Improved analytics tags:

  • DLL Hijacking Analytics: We've expanded and improved our coverage for DLL Hijacking techniques. Using advanced analytic capabilities, we significantly enhanced detection logic for important threats, including Microsoft process hijacking and DLL sideloading.

Email Security

Feature

Description

New Advanced Email Security response engine

A lightweight, real-time remediation engine enabling automated, policy-driven actions to quickly respond to email threats before they manifest. All remediation actions initiated by automatic policies are tracked in the Remediation Action Center, where you can review the emails and actions taken.

Notice

This feature requires an Email Security Module add-on.

Endpoint Security

Feature

Description

File examination on-load for macOS

Detect and prevent execution of malicious Mach-O files when loaded on macOS-based endpoints, using this new Cortex XDR agent capability.

JScript file examination for Windows

Detect and prevent malicious JScript files from being executed or written to disk on Windows-based endpoints, using this new capability provided by the Cortex XDR agent.

LDAP Query Protection for Windows

Identify and block malicious reconnaissance activity targeting Windows Domain Controllers. Customers with the ITDR add-on can now use the XDR agent for real-time prevention against attack techniques used by tools like BloodHound's SharpHound collector.

Child Process Protection for Linux

Cortex XDR introduces an additional prevention module for Linux that examines the relations between parent and child processes to detect suspicious relations. This module provides improved detection and protection coverage capabilities.

XDR Agent for Windows on ARM64

Extend agent deployments to Windows devices running on ARM64 architecture, including Microsoft Surface devices.

Exposure Management

Feature

Description

Cortex XDR Security Controls Detection

Gain enhanced visibility into XDR agent profile configurations and exploit protection status, improving vulnerability risk identification, protection efficacy assessment, and prioritization.

Cortex Network Scanner enhancements

The following enhancements were introduced:

  • Target Groups management: Configure network scans more efficiently and consistently by leveraging saved and reused Target Groups.

  • Multi-scanner support: Reduce the amount of time it takes to complete large network scans by assigning multiple scanners to the task.

  • Multiple credentials: You can now configure multiple credentials of the same type for each scan. The scanner will try each one until authentication is successful.

  • Credential testing: Test credentials stored in the system before starting a large scan and identify gaps in the authentication.

External Data Ingestion and Management

Feature

Description

Unified integration error notifications

Instead of being inundated with multiple notifications, all data collector errors are now grouped into a single notification. This new, non-dismissible notification alerts all users to data source integration errors.

Vulnerability Management

Feature

Description

Cortex Vulnerability Block Grace Period

Enhancements to Cortex Vulnerability Management allow you to establish a block grace period when creating prevention policies. Grace periods are based on a fixed date and temporarily override the blocking action of a policy when new vulnerabilities are found. You can configure a uniform grace period for all severities or provide different settings for each severity. When grace periods are configured, findings trigger as normal, notifying you that a vulnerability exists in your environment. The block action is suppressed for the number of days specified, giving you time to mitigate the vulnerability.

Cortex Vulnerability Risk Score

The Cortex Vulnerability Risk Score (CVRS) is a dynamic vulnerability risk-scoring approach that helps you prioritize vulnerabilities. CVRS uses critical organization-specific information along with public vulnerability intelligence to provide a tailored, accurate risk score for each vulnerability alert and finding.

Vulnerability Management Enhancements

Updates to the Vulnerability Management UI help you contextualize risk and prioritize remediations. The following enhancements are included:

  • The side-panel now includes actionable insights such as Issue Details, Recommended Actions, and Remediations to help you quickly triage and resolve issues.

  • Right-click on any issue to take quick actions and generate a CSV export if required.

  • You can access the Vulnerabilities tab on any Kubernetes worker or master node to view the max severity associated with the node, the top three nodes by severity, plus a graphical view of vulnerabilities by severity

XDR Collectors

XDR Collectors 1.5.1: Windows 1.5.1.2048 and Linux 1.5.1.1950

XDR Collectors 1.4.3: Windows 1.4.3.1686

For more information on maintenance releases, see Maintenance releases.

Feature

Description

Enhanced visibility and auditing of XDR Collectors

Cortex XSIAM now provides enhanced error visibility and auditing for XDR Collectors. This enables you to quickly identify and resolve application, connectivity, and processing errors, simplifying troubleshooting and ensuring your critical workflows remain uninterrupted.