This section describes the new features and updates of the Cortex XSIAM 2.1 release.
The Cortex XSIAM 2.1 release includes the following highlights:
Feature | Description |
---|---|
Enhanced XSIAM Command Center | We're expanding the Command Center to provide deeper visibility into your security operations process. You can now drill down to explore your data inventory and get deep visibility into XSIAM activity using a real-time live feed of incidents and alerts. |
Manual incident creation | Cortex XSIAM now enables you to generate incidents directly from the user interface, ensuring you can capture all of your activities in a single location. Consolidate your efforts with Cortex XSIAM by creating incidents for hunting, self-initiated investigations, and other use cases. Managing your operations more effectively in a single place helps reduce context-switching. |
Limit access to Cortex XSIAM API | You can now limit Cortex XSIAM API access to a specific IP address or IP range by adding them to an Allow list. This ensures better data security and control while facilitating integration with third-party systems and applications. |
UEFI protection module | Cortex XDR has expanded its malware protection capabilities by adding the UEFI protection module, which reinforces and provides coverage against pre-boot attacks. |
The Cortex XSIAM 2.1 release includes the following enhancements:
General
Feature | Description |
---|---|
Visibility into IT performance | Gain visibility into IT performance on your Cortex XDR Agent with the new IT Metrics dashboard. This dashboard is based on key IT metrics that measure operational efficiency, and help you oversee security and performance on your network. To provide flexible use of the performance metrics, they are also available in the new |
Attack Surface Testing (closed Beta) | Cortex XSIAM can now confirm the presence of vulnerabilities through customer-authorized, benign Attack Surface Testing. Confirming or disproving the presence of a vulnerability allows Cortex XSIAM to prioritize risks with more precision and confidence. Attack surface tests are run daily on services that are exposed to the public internet and can be configured to automatically include new directly-discovered services. Attack Surface Testing narrows the automation gap between attackers and defenders and enables you to focus on the most impactful remediations. Attack Surface Testing is available through a closed Beta. For more information, contact your CS representative. |
Mandatory field enforcement for creating XDM authentication stories | Cortex XSIAM now requires that when creating Cortex Data Model (XDM) authentication stories for XDM identity data, certain fields must be populated. This improves the quality of data for analytics and reduces false positives. (Read more in MODEL.)MODEL |
On-write protection module | Cortex XSIAM has expanded its machine learning (ML) based security capabilities to include on-write protection for Windows that includes Wildfire and local analysis. |
Augmenting VA insights in Host Card | The Host Card under Asset Scores now includes additional Vulnerability Assessment (VA) insights. This enhancement provides a detailed and high-level view of the Common Vulnerabilities and Exposures (CVE) sorted by severity, enabling you to quickly understand and prioritize security threats on each endpoint. The CVE breakdown is included only when Host Insights and Identity Threat Module licenses are activated. |
New Widgets in the Identity Threat Module (Requires the Identity Threat Module add-on) | The User Risk View in the Identity Threat Module now contains two new widgets that provide more insight into the provenance of the user.
|
New cloud-related attributes for security events and agent status | Cortex XSIAM has integrated cloud-related attributes to security events and agent status to convey essential information. |
Analytics Tags Highlights | Cortex XSIAM has updated the detectors inventory, introducing new analytics into both new and existing tags.
|
Support Case Attachments | To expedite the handling of in-product support cases, Cortex XSIAM can now automatically attach relevant files to the case.
|
Bring your own keys (BYOK) | The Cortex XSIAM key management process has been simplified to enable you to encrypt data with keys you provide upon tenant activation. |
XDR Collectors
Windows 1.4.1.1100 and Linux 1.4.1.1089
For more information on maintenance releases, see Maintenance Releases.
Feature | Description |
---|---|
XDR Collectors 1.4.1 | This release includes performance improvements and bug fixes. |
Broker VM
Version 22.0.32
For more information on maintenance releases, see Maintenance Releases.
Feature | Description |
---|---|
Broker VM 22.0.32 | This release includes performance improvements and bug fixes. |
External Data Ingestion and Management
Feature | Description |
---|---|
Retention licenses support 31-day period | Cortex XSIAM retention license add-ons now support a 31- day period per license SKU purchased, instead of 30 days provided previously. This ensures a full 365-day coverage. |
Cortex Query Language (XQL)
Feature | Description |
---|---|
New field added to xdr_process preset | Cortex XSIAM now includes a new field called |
New operators supported in the Query Builder simple search templates | Cortex XSIAM now supports using these operators for integer and float fields in Query Builder simple search templates:
Supported templates are:
This helps streamline and improve your search capabilities. |
Playbooks
Feature | Description |
---|---|
Group playbook inputs and outputs | You can now group playbook inputs and outputs, making it easier for security analysts to manage and understand the inputs required for different stages of the playbook. Grouping enhances the playbook's clarity, reduces the likelihood of errors, and facilitates a more streamlined and efficient incident response workflow. |
The Cortex XSIAM 2.1 release includes the following changes to existing functionality:
Component | Area | Description |
---|---|---|
APPS column of Broker VMs page | Broker VM | Cortex XSIAM has replaced the hovering action in the APPS column of the Broker VMs page to a left-click action to display the Broker VM applet settings and to Add a new Broker VM applet. |
target stage | XQL | Cortex XQL now supports defining a |
Endpoints table, Last Certificate Enforcement Fallback column Agent Settings profile | Certificate enforcement for Windows and macOS endpoints | To improve security, the Cortex XDR agent is now ensuring the use of a provided certificate, without using the local fallback store (enforcing using provided trusted root CA file). There are three modes of operation, set in the Agent Settings profile. Disabled (Notify) is default for existing tenants; new tenants will have the Enabled configuration by default.
|