This section describes the new features and updates of the Cortex XSIAM 2.2 release.
The Cortex XSIAM 2.2 release includes the following highlights:
FEATURE | DESCRIPTION |
|---|---|
Cloud-focused Command Center Dashboard (Requires a Cortex XSIAM Enterprise Plus license)
| Introducing the new Cloud Command Center. Gain immediate insight into your cloud-based security operations, including details about your cloud assets, cloud related incidents, risks, and vulnerabilities. From the dashboard you can drill down to dedicated views for further investigation into your Cloud platform. |
Enhanced Integration with Prisma Cloud | To enhance your insights into incidents and assets in your cloud environment, Cortex XSIAM alerts now include more information about alerts and assets coming from Prisma Cloud, enabling broader context and visibility, better incident-grouping capabilities, automation playbooks, and easier navigation to assets. |
Incident Drilldown in the XSIAM Command Center
| We're upgrading the XSIAM Command Center with a new drill-down dashboard for incident metrics, offering breakdowns of incidents, MITRE ATT&CK tactic details, automation recommendations, and top resolving assignees. |
XSIAM Incident Domains
| XSIAM Incident Domains help you organize and manage your work efforts by associating incidents and alerts to a domain, and creating a tailored experience for each one. Incident domains are a logical contextual boundary that allow you to manage and prioritize each operational use case without affecting other cases. In addition to the built-in domains, you can build your incident domains for non-security use cases. |
Unified Asset Inventory (Beta)
| Introducing a unified Asset Inventory that enhances visibility into your assets. Powered by a new Asset Discovery mechanism, the Asset Inventory provides a comprehensive asset profile with enriched asset information, including aggregation from different data sources. |
The Cortex XSIAM 2.2 release includes the following enhancements:
General
FEATURE | DESCRIPTION |
|---|---|
Multi-Role API Keys
| You can now create API keys with multiple roles to improve operational efficiency and allow dynamic RBAC management of API keys. The API key permissions have the aggregated permissions of the roles associated with it. |
Timer fields in alerts | Create and add a Timer field to alerts, enabling you to measure time duration at the alert level, improve response times, and gain visibility of the alert progress. |
Attack Surface Testing | Cortex XSIAM can now confirm the presence of vulnerabilities through customer-authorized, benign Attack Surface Testing. Confirming or disproving the presence of a vulnerability allows Cortex XSIAM to prioritize risks with more precision and confidence. Attack surface tests are run daily on services exposed to the public internet and can be configured to automatically include new directly-discovered services. This narrows the automation gap between attackers and defenders and enables you to focus on the most impactful remediations. |
Redesigned External Service Details | Cortex XSIAM has introduced a redesigned details page for external services, providing a single point of access to all the incidents, alerts, and assets related to a service. The new service details also display a comprehensive list of attack surface test results or inferred CVE intelligence. |
ASN Data | Gain additional context for investigating alerts with Autonomous System Number (ASN) data filters and details. Cortex XSIAM now supports filtering based on ASN data in the Asset Inventory and provides ASN details on the details pane for IPv4 ranges and responsive IPs. |
Analytics for Containerized Environments | Cortex XSIAM enhances its container security capabilities with the introduction of a detection analytics pack designed for managed and unmanaged Kubernetes environments. This enhancement strengthens cloud workload protection by enabling proactive identification and mitigation of malicious content inside containerized applications. |
New dataset for auditing correlation executions | The new |
Remediation Confirmation Scans for ASM Alerts | Cortex XSIAM introduces remediation confirmation scanning to validate the resolution of Attack Surface Management (ASM) alerts. A security analyst can initiate this scan anytime using a button on the ASM alert page. Remediation confirmation scans use the same payloads and ASM global scanning infrastructure that are used for service discovery to quickly validate that the risk has been addressed. |
Broker VM and XDRC data sources in the XSIAM Command Center | Broker VM and XDRC are now displayed as part of the XSIAM Command Center data sources. In addition, the XSIAM Command Center dashboards have been enhanced to include even more drill downs. |
Endpoint security
FEATURE | DESCRIPTION |
|---|---|
Cloud Security Agent | Cortex XSIAM now includes a unified (single) agent that reduces maintenance and resource overheads while providing runtime security and vulnerability management capabilities for cloud native environments. Requirements:
Supports:
|
Root detection alerts on Android-based endpoints | Cortex XSIAM now includes root detection alerts, to help you identify Android devices where malicious tools could be installed using root access privileges. |
Additional malware protection for iOS-based endpoints | The endpoint iOS malware profile now includes options to enforce use of the Safari browser security module to monitor network traffic, and to restrict and block network traffic for unsanctioned apps on supervised iOS devices. These enhancements provide proactive gating of suspicious sites, and granular control and monitoring of network traffic. |
Additional network filtering alerts for iOS-based endpoints | Safari Safeguard provides new protection modules in iOS to help track malicious app activity, unwanted access to malicious web sites and URLs, and monitoring of unsanctioned web access. The new events are:
|
Enhanced Vulnerability Assessment | Cortex XSIAM introduces the Enhanced VA mode that uses advanced algorithms and comprehensive databases to deliver in-depth analysis and extensive details on CVEs. The Enhanced VA mode is available on Windows and MacOS endpoints running Cortex XDR agent versions 8.3 and later. |
Apps
FEATURE | DESCRIPTION |
|---|---|
Cortex XSIAM Notebooks Enhancements | Introducing new capabilities to leverage your custom analytics, insights, and learnings to enrich your detection and investigation experience using Cortex XSIAM Notebooks. Notebooks now expose custom tables as datasets. You can now generate and store profiles, custom tables, and insights as XQL datasets. You can then use these datasets for correlations, queries, and day-to-day work. |
XDR Collectors
Windows 1.4.1.1100 and Linux 1.4.1.1089
For more information on maintenance releases, see Maintenance Releases.
FEATURE | DESCRIPTION |
|---|---|
XDR Collectors 1.4.1 | This release includes performance improvements and bug fixes. |
Broker VM
Version 23.0.33
For more information on maintenance releases, see Maintenance Releases.
FEATURE | DESCRIPTION |
|---|---|
Broker VM 23.0.33 | This release includes performance improvements and bug fixes. |
External Data Ingestion and Management
FEATURE | DESCRIPTION |
|---|---|
TTL for lookup datasets | Cortex XSIAM now enables configuring Time To Live (TTL) for lookup datasets, which specify when lookup entries expire and are removed automatically from the dataset. The default value is forever, meaning they never expire. |
NGFW configuration log ingestion | NGFW configuration logs are now ingested, to enrich the firewall data ingested into Cortex XSIAM. |
Cortex Query Language (XQL)
FEATURE | DESCRIPTION |
|---|---|
New Parsing Rules regexcapture function | Cortex XSIAM now supports using a new Parsing Rules function called regexcapture to extract fields using regular expression named groups from a given string and return a JSON object with capturing groups. This function simplifies the Parsing Rules code for fields extraction. |
Aligned XQL function descriptions and syntax | The XQL query function and syntax descriptions in Cortex XSIAM are now aligned with the descriptions found in the Cortex XSIAM XQL Language Reference guide. This ensures that the same information is provided in both places. |
Playbooks
FEATURE | DESCRIPTION |
|---|---|
ASM Automation Enhancement | Introducing new functionality within Cortex XSIAM to support endpoint-based mitigation playbooks on select Attack Surface Management (ASM) alert types. This enhancement empowers defenders by offering diverse options for addressing internet-exposed risks effectively. |
QR Code Phishing investigation | Introducing a new playbook that provides enhanced investigation capabilities for phishing incidents with the latest playbook feature focused on QR code phishing. This functionality automatically analyzes embedded QR codes, enabling thorough scrutiny of malicious emails and enhancing your response strategy against this prevalent attack vector. |
Prisma Cloud Compute | Introducing a new playbook designed specifically for compliance incidents within Prisma Cloud Compute. This feature enriches incident data with integration commands, empowering analysts with a comprehensive review. Explore advanced capabilities such as resource-specific data retrieval, email compliance reports, and seamless ticket creation across relevant systems. |
Prisma Cloud Network, API, and Anomaly Incidents | Introducing a new playbook that handles incidents of internet-exposed services and detects potential risky configurations that can make your cloud environment vulnerable to attacks. It also focuses on incidents of unusual network and user activity for all users and is especially critical for privileged users and assumed roles. Detecting such activity early on may indicate the first steps in a potential misuse or account compromise. |
Prisma Cloud Audit Incidents | Introducing a new playbook that handles policies that identify AWS S3 and IAM configuration updates such as creating, deleting, or modifying bucket policies, and modifying user groups that are invoked from the following penetration tools, Pentoo Linux, Kali Linux, Parrot Security. |
Identity analytics | Introducing a new playbook that handles identity analytics alerts from Cortex XSIAM, covering enrichment, investigation, and response strategies. These alerts focus on identifying suspicious user behavior and activities, providing valuable insights for proactive security measures. |
Forensics
FEATURE | DESCRIPTION |
|---|---|
Forensics investigation | Cortex XSIAM introduces a new Forensic Investigations feature to the Forensics add-on. This includes:
|
Export forensic collections | Cortex XSIAM can now export Hunt or Triage collections into single archives and enable users to track and manage the exported data from the server. |
Forensic hunting | Cortex XSIAM introduces a new Forensic Hunting feature to the Forensics add-on. This includes:
|
The Cortex XSIAM 2.2 release includes the following changes to existing functionality:
COMPONENT | AREA | DESCRIPTION |
|---|---|---|
Incident Domains |
| With the release of the Incident domains feature, Cortex XSIAM now automatically assigns your incidents and alerts to a domain. Please review your existing filter-based rules to ensure their relevance to the intended domains. In addition, you must review any XQL based objects that query the incident or alert datasets to determine whether the |
Forensics | Action Center | The majority of Forensic actions have been moved from the Action Center to the new Hunting and Investigation features in Forensics, These include:
|