February 2024 - Release Notes - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Release Notes
Product
Cortex XSIAM
Creation date
2024-02-14
Last date published
2024-04-30
Category
Release Notes

This section describes the new features and updates of the Cortex XSIAM 2.1 release.

Release Highlights

The Cortex XSIAM 2.1 release includes the following highlights:

Feature

Description

Enhanced XSIAM Command Center

We're expanding the Command Center to provide deeper visibility into your security operations process. You can now drill down to explore your data inventory and get deep visibility into XSIAM activity using a real-time live feed of incidents and alerts.

Manual incident creation

Cortex XSIAM now enables you to generate incidents directly from the user interface, ensuring you can capture all of your activities in a single location.

Consolidate your efforts with Cortex XSIAM by creating incidents for hunting, self-initiated investigations, and other use cases. Managing your operations more effectively in a single place helps reduce context-switching.

Limit access to Cortex XSIAM API

You can now limit Cortex XSIAM API access to a specific IP address or IP range by adding them to an Allow list. This ensures better data security and control while facilitating integration with third-party systems and applications.

UEFI protection module

Cortex XDR has expanded its malware protection capabilities by adding the UEFI protection module, which reinforces and provides coverage against pre-boot attacks.

Feature Enhancements

The Cortex XSIAM 2.1 release includes the following enhancements:

General

Feature

Description

Visibility into IT performance

Gain visibility into IT performance on your Cortex XDR Agent with the new IT Metrics dashboard. This dashboard is based on key IT metrics that measure operational efficiency, and help you oversee security and performance on your network. To provide flexible use of the performance metrics, they are also available in the new IT_metrics dataset.

Attack Surface Testing (closed Beta)

Cortex XSIAM can now confirm the presence of vulnerabilities through customer-authorized, benign Attack Surface Testing. Confirming or disproving the presence of a vulnerability allows Cortex XSIAM to prioritize risks with more precision and confidence. Attack surface tests are run daily on services that are exposed to the public internet and can be configured to automatically include new directly-discovered services. Attack Surface Testing narrows the automation gap between attackers and defenders and enables you to focus on the most impactful remediations.

Attack Surface Testing is available through a closed Beta. For more information, contact your CS representative.

Mandatory field enforcement for creating XDM authentication stories

Cortex XSIAM now requires that when creating Cortex Data Model (XDM) authentication stories for XDM identity data, certain fields must be populated. This improves the quality of data for analytics and reduces false positives. (Read more in MODEL.)MODEL

On-write protection module

Cortex XSIAM has expanded its machine learning (ML) based security capabilities to include on-write protection for Windows that includes Wildfire and local analysis.

Augmenting VA insights in Host Card

The Host Card under Asset Scores now includes additional Vulnerability Assessment (VA) insights.

This enhancement provides a detailed and high-level view of the Common Vulnerabilities and Exposures (CVE) sorted by severity, enabling you to quickly understand and prioritize security threats on each endpoint.

The CVE breakdown is included only when Host Insights and Identity Threat Module licenses are activated.

New Widgets in the Identity Threat Module

(Requires the Identity Threat Module add-on)

The User Risk View in the Identity Threat Module now contains two new widgets that provide more insight into the provenance of the user.

  • Common Locations - displays the countries from which the user connected most in the past few weeks.

  • Common OSs - displays the operating systems the user used most in the past few weeks.

New cloud-related attributes for security events and agent status

Cortex XDR has integrated cloud-related attributes to security events and agent status to convey essential information.

Analytics Tags Highlights

Cortex XDR has updated the detectors inventory, introducing new analytics into both new and existing tags.

  • Direct Syscall Analytics (New) - Advanced real-time detection of direct syscall activities, distinguishing between benign and malicious events.

  • DLL Hijacking Analytics (New) - Improved analytics for identifying DLL Hijacking techniques, focusing on evasion and privilege escalation tactics.

  • Global Analytics (Updated) - Enhanced detection of complex attacks, including supply chain threats and zero-day exploits, using machine learning on cross-customer references.

  • Injection Analytics Improvement - Refined detection of process injection anomalies, improving identification of malicious activities.

  • Impacket Analytics - Analytics for detecting Impacket-related lateral movement behaviors with high accuracy.

Support Case Attachments

To expedite the handling of in-product support cases, Cortex XSIAM can now automatically attach relevant files to the case.

  • When you select an endpoint, Cortex XSIAM can attach its Tech Support File (TSF).

  • When you record the console, Cortex XSIAM can also record and send the network logs from the browser (HAR file).

Bring your own keys (BYOK)

The Cortex XSIAM key management process has been simplified to enable you to encrypt data with keys you provide upon tenant activation. See how to activate BYOK in your new Cortex XSIAM tenants.Activate

XDR Collectors

Windows 1.4.1.1100 and Linux 1.4.1.1089

For more information on maintenance releases, see Maintenance Releases.

Feature

Description

XDR Collectors 1.4.1

This release includes performance improvements and bug fixes.

Broker VM

Version 22.0.32

For more information on maintenance releases, see Maintenance Releases.

Feature

Description

Broker VM 22.0.32

This release includes performance improvements and bug fixes.

External Data Ingestion and Management

Feature

Description

Retention licenses support 31-day period

Cortex XSIAM retention license add-ons now support a 31- day period per license SKU purchased, instead of 30 days provided previously. This ensures a full 365-day coverage.

Cortex Query Language (XQL)

Feature

Description

New field added to xdr_process preset

Cortex XSIAM now includes a new field called action_process_instance_ID in the xdr_process preset. This field provides the Cortex instance ID of the process.

New operators supported in the Query Builder simple search templates

Cortex XSIAM now supports using these operators for integer and float fields in Query Builder simple search templates:

  • greater than and equal (>=)

  • less than and equal <=)

Supported templates are:

  • Basic

  • Identity

  • Endpoint

  • Network

  • Cloud

This helps streamline and improve your search capabilities.

Playbooks

Feature

Description

Group playbook inputs and outputs

You can now group playbook inputs and outputs, making it easier for security analysts to manage and understand the inputs required for different stages of the playbook. Grouping enhances the playbook's clarity, reduces the likelihood of errors, and facilitates a more streamlined and efficient incident response workflow.

Changed Features

The Cortex XSIAM 2.1 release includes the following changes to existing functionality:

Component

Area

Description

APPS column of Broker VMs page

Broker VM

Cortex XSIAM has replaced the hovering action in the APPS column of the Broker VMs page to a left-click action to display the Broker VM applet settings and to Add a new Broker VM applet.

target stage

XQL

Cortex XQL now supports defining a target stage with a dataset type set to lookup so that the data from the current query is re-created as a new dataset using append=false. Previously, only append=true was supported for this dataset type, which appended the data from the current query to the dataset.

Endpoints table, Last Certificate Enforcement Fallback column

Agent Settings profile

Certificate enforcement for Windows and macOS endpoints

To improve security, the Cortex XDR agent is now ensuring the use of a provided certificate, without using the local fallback store (enforcing using provided trusted root CA file).

There are three modes of operation, set in the Agent Settings profile. Disabled (Notify) is default for existing tenants; new tenants will have the Enabled configuration by default.

  • Enabled: Enforcement is enabled. Note, If the agent is initially unable to communicate without the local store, enforcement is not enabled and the agent will show as partially protected in the server UI.

  • Disabled (Notify): Enforcement is disabled. Agents with this policy will trigger a visible banner in the UI to notify customers about potential risk and direct them to change the certificate and the setting. The Last Certificate Enforcement Fallback column of the Endpoints table is updated and management audit logs related to the local store fallback are received by the server.

  • Disabled: Enforcement is disabled. Agents with this policy will trigger a visible banner in the UI to notify customers about potential risk. With this mode, the Last Certificate Enforcement Fallback column in the Endpoints table is not updated, and there are no management audit logs related to the local store fallback.