April 2025 - Release Notes - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Release Notes
Product
Cortex XSIAM
Creation date
2025-03-11
Last date published
2025-06-22
Category
Release Notes

This section describes the new features and updates of the Cortex XSIAM 2.6 release.

Release highlights

The Cortex XSIAM 2.6 release includes the following highlights:

FEATURE

DESCRIPTION

Cross-region support in multi-tenant architectures

Cross-region tenant pairing enables multi-tenant organizations to pair their parent and child tenants across different geographic regions, providing enhanced visibility and control for distributed security operations. To enable this capability, please contact your Palo Alto Networks account team.

AI Detection & Response (Beta)

Gain visibility into usage of AI/ML in the cloud using a new dedicated dashboard that also presents related alerts and incidents. New detectors analyze cloud audit logs from AWS, Azure, and GCP to find AI-specific threats.

New and enhanced dashboard visuals and capabilities

The latest batch of enhancements introduces multiple new and updated widgets and controls—including single-click multi-column and multi-line charts—making it easier to visualize, organize, compare, and filter data, and quickly turn your data into actionable insights.

Ingest data into Cortex XSIAM using Cribl Stream (Beta)

A new integration offers XSIAM customers an option to leverage Cribl for data pipeline management, delivering a seamless experience and simplifying data onboarding for Cribl customers.

Feature enhancements

The Cortex XSIAM 2.6 release includes the following enhancements:

General

FEATURE

DESCRIPTION

Enhanced AI incident searches with Cortex Copilot

Cortex Copilot abilities are enhanced with the support of the incident entity. This simplifies incident investigation and remediation by providing you with the most relevant incident information and Cortex Copilot's recommendations for investigation and response.

Investigation and response

FEATURE

DESCRIPTION

Third-party alert backlink support

When alerts from a third-party vendor are reported to Cortex XSIAM, once this feature is configured, you can pivot from the Alerts page to the third-party reporting system, directly to the relevant context, at the click of a button.

Detection rules

FEATURE

DESCRIPTION

Granular exception handling with automated recommendations

Enhanced exception capabilities allow you to define precise exceptions for a specific scenario or leverage Cortex XSIAM’s automated recommendations ensuring smoother operations without compromising on security.

New analytics suites

Cortex XSIAM has introduced the following new advanced Analytics detection suites:

  • Webshell Analytics: Detects webshells being installed and executed.

  • Microsoft SCCM Analytics: Detects unusual or suspicious activity within Microsoft System Center Configuration Manager (SCCM) environments.

  • Active Directory Certificate Services Analytics: Detects anomalous behavior within Active Directory Certificate Services (AD CS).

  • Cloud Data Asset Analytics: Detects anomalous behavior involving data assets as public exposure, exfiltration, protection tampering, configuration, and disaster recovery risks.

Endpoint security

FEATURE

DESCRIPTION

VBScript file examination module

Strengthened defense against advanced threats by using an ML-based protection model for the XDR agent on Windows that can detect and prevent adversary techniques using VBscript files at the execution stage.

XDR Collectors

XDR Collectors 1.5.0: Windows 1.5.0.1733 and Linux 1.5.0.1695

XDR Collectors 1.4.3: Windows 1.4.3.1686

For more information on maintenance releases, see Maintenance Releases.

FEATURE

DESCRIPTION

XDR Collectors 1.5.0 and 1.4.3

This release includes performance improvements and bug fixes.

Broker VM

Version 27.0.47 (reboot required)

For more information on maintenance releases, see Maintenance Releases.

FEATURE

DESCRIPTION

Broker VM 27.0.47

This release includes performance improvements and bug fixes.

Cortex Query Language (XQL)

FEATURE

DESCRIPTION

Enhanced XQL time picker

When building Cortex Query Language (XQL) queries, the time picker now includes:

  • Additional time range options to easily select from, such as last 5 minutes and last 3 hours.

  • Recently used selections from your previous queries.

XQL auto-suggestion improvements

When creating a Cortex Query Language (XQL) query, you can now:

  • Use the up and down arrow keys to navigate through the auto-suggestion commands and definitions.

  • Select an auto-suggestion command by pressing either the Enter or Tab key.

  • Press Shift+Enter to add a new line, and easily ignore the auto-suggestion output.

  • Close the auto-suggestion output by pressing the Esc key.

Dashboards

FEATURE

DESCRIPTION

New widget capabilities

Dashboard and report widgets are enhanced with the following new capabilities:

  • Format your text using Markdown with the Free Text widgets.

  • Present time and duration based results in your widgets with new time fields in the widget chart editor.

  • Refresh individual widgets on demand, while gaining visibility with an improved last updated status.

New XQL series based graph results in Widgets

Custom Cortex Query Language (XQL) widget creation now supports the Series parameter in the Chart Editor. This feature allows users to specify a field (column) to group data by and will visualize field value distributions or compare category trends over time. Additionally, the Series parameter is now integrated into the view graph type stage for improved functionality.

API

FEATURE

DESCRIPTION

ASM asset removal API

(Requires the ASM add-on)

Manage your external surface inventory more efficiently with a new API that enables you to remove external IP address ranges, paid-level domains, subdomains, and certificates from your inventory, as needed.

Attack Surface Management

Requires the ASM add-on.

FEATURE

DESCRIPTION

CISA KEV vulnerability testing

Attack surface tests are now available for all CISA KEV CVEs that are externally detectable, do not require authentication, and can be exploited without any risks to the availability or integrity of the running application.

This totals over 260 different vulnerabilities known to be actively exploited in the wild, 190 of which have a CVSS score of 9.0 or higher. As with all Attack Surface Tests, these checks perform full benign exploitation of a given vulnerability to produce confirmations of exploitation with near certainty.

Default credential testing

Introducing 40+ new attack surface tests focused on the detection of applications leveraging manufacturer default credentials. These tests include checks for default credentials on a number of business operations systems as well as IT and networking devices.

Operating system identification

Cortex XSIAM now supports fingerprinting multiple different operating systems and version details for internet-facing applications.

Changed Features

The Cortex XSIAM 2.6 release includes the following changes to existing functionality:

COMPONENT

AREA

DESCRIPTION

Cortex XDR agent

Installation packages

From Cortex XDR agent version 8.8 and later, 32-bit Windows installers for Cortex XDR agent are not supported.

K8s-based Cortex XDR agents

Upgrades

K8s-based Cortex XDR agents cannot be upgraded automatically, and do not occupy a slot in the auto-upgrade pool.