February 2025 - Release Notes - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Release Notes
Product
Cortex XSIAM
Creation date
2024-11-18
Last date published
2025-03-16
Category
Release Notes

This section describes the new features and updates of the Cortex XSIAM 2.5 release.

Release Highlights

The Cortex XSIAM 2.5 release includes the following highlights:

FEATURE

DESCRIPTION

Accelerate legacy SIEM upgrades with bulk data import

Streamline your transition to Cortex XSIAM by importing historical data into cold storage. This process simplifies data migration while ensuring secure, long-term storage. Once imported, you can easily access and search the data for various purposes, such as analysis, compliance, and audits.

Enhanced investigation experience

Causality Forensics Highlights are now enriched with MITRE ATT&CK tactics, techniques, and procedures (TTPs) as well as additional data points such as URL verdicts, WildFire reports and Threat Context. This streamlines your investigations and provides immediate, actionable insights into security alerts and the related artifacts in the causality chain.

Prisma Access Browser integration

Integrating Prisma Access Browser data into Cortex XSIAM expands the attack context to include browser activity. This allows you to query Prisma Access Browser data directly within Cortex and generate detection and correlation rules.

Enhanced visibility and auditing for Broker VM

Cortex XSIAM now provides enhanced error visibility and auditing for Broker VM applets. This enables you to quickly identify and resolve application, connectivity, and processing errors, simplifying troubleshooting and ensuring your critical workflows remain uninterrupted.

Flexible compute unit (CU) consumption

The new annual consumption plan allows you the flexibility to scale up during critical investigations or intensive periods and scale back during routine operations for predictable resource management.

Feature Enhancements

The Cortex XSIAM 2.5 release includes the following enhancements:

General

FEATURE

DESCRIPTION

Enhanced version compatibility notifications for development and production environments

Receive clear warnings and visual indicators for potential version mismatches when syncing content between development and production, ensuring seamless upgrades.

Fields added to alert notification email body

Cortex XSIAM has added the following alert fields to the body of the email sent for alert notification: Name, Description, Severity, File path, and Timestamp.

Add installation tags during package creation

Streamline the deployment process by defining Endpoint tags during the creation of an agent installation package. Any tags you define will be automatically applied to all new agents deployed using the installer.

Website data in ASM in Cortex XSIAM

(Requires the Attack Surface Management (ASM) add-on license)

Continuously discover and monitor your website inventory and web technologies, identify your insecure and misconfigured websites, and identify sites failing security best practices and putting users at risk.

Simplified Self-Service Asset Management

(Requires the Attack Surface Management (ASM) add-on license)

The new bulk asset management features enable you to proactively add/remove ASM assets, such as IP address ranges, paid-level domains, and subdomains, across your attack surface.

War room filtering

In the War Room, when selecting multiple filters, you can now view the results with any of the selected filters.

Detection rules

FEATURE

DESCRIPTION

Analytics tags highlights

  • Cortex XSIAM has introduced new advanced Analytics detection suites for emerging threats on MacOS:

    • Credentials grabbing: Detects anomalous activities associated with credential grabbing.

    • Sensitive information stealing: Detects anomalous activities associated with stealing sensitive personal and organizational information.

    • AppleScript: Detects anomalous AppleScript operations carried out by malicious threat actors.

  • Cortex XSIAM now includes new analytics detections over a new data source for Microsoft Graph Activity logs:

    • Microsoft Graph Activity logs: Detects anomalous activities in utilizing Microsoft Graph activity logs.

Custom preconfigured alert field mapping in correlation rules

When creating or editing correlation rules, when you use the preconfigured XDM -> Alert fields mapping, you can now select the value of the preconfigured fields that will be displayed in the alert. This provides you with more granularity while displaying alert fields.

New rule tag in alerts

Enhanced visibility into new content updates. Content version tags are added to new alerts that were generated as a result of new BTP rules introduced in a content update.

Dozens of new Attack Surface Rules and Attack Surface Tests

(Requires the Attack Surface Management (ASM) add-on license)

The new rules and tests expand detection coverage for existing and new KEV vulnerabilities. You can also discover over 100 unique OT/IoT devices, providing unmatched visibility across industrial and connected device environments.

Endpoint security

FEATURE

DESCRIPTION

Protection against malicious ASP and ASPX files

For Windows-based endpoints, you can now configure Cortex XSIAM to analyze ASP and ASPX files, and prevent malicious ones from being written to your endpoints’ file system.

Visibility of CVEs without a CVSS score

Cortex XSIAM now includes CVEs identified by the Enhanced Vulnerability Assessment (VA) scanner that have not yet received an official CVSS score. This enhancement provides better visibility into emerging threats, enabling proactive security measures.

XDR Collectors

Windows 1.4.2.1373 and Linux 1.4.2.1302

For more information on maintenance releases, see Maintenance Releases.

FEATURE

DESCRIPTION

XDR Collectors 1.4.2

This release includes performance improvements and bug fixes.

Broker VM

Version 26.0.116 (reboot required)

For more information on maintenance releases, see Maintenance Releases.

FEATURE

DESCRIPTION

Broker VM 26.0.116

This release includes performance improvements and bug fixes.

External data ingestion and management

FEATURE

DESCRIPTION

Enhanced Analytics activation (soak) mechanism for new data source integration (Beta)

An enhanced Analytics soak mechanism now initiates a targeted soak period for each detector and data source upon analytics-affecting data source integration. This enhances resilience to baseline shifts, boosts detection accuracy, and reduces false positives and noise caused by integrating new data.

Integration Permissions in Cortex XSIAM

Cortex XSIAM now allows users to leverage role-based access control (RBAC) to restrict integration commands to specific roles. You can set different permission levels for the same command across multiple instances of the same integration, offering greater flexibility and control over user access.

Support for the ed25519 algorithm to connect to private content repositories

Cortex XSIAM now aligns with industry best practices, providing a more secure method for access and enhancing your overall security posture by supporting the high-speed, high-security ed25519 algorithm for SSH connections to content repositories.

Analyst actions recorded in audit logs

Audit logs now record commands entered by analysts in the War Room and Playground, which improves visibility into analyst actions taken during the alert response and troubleshooting processes.

API

FEATURE

DESCRIPTION

New API capabilities

Significantly enhance the management and configuration experience for syslog and authentication settings by adding new APIs.

  • Facilitate easier management of syslog servers at scale.

  • Configure IdP and SSO, enabling administrators greater control and efficiency in enforcing and managing access control.

Delete Cortex XDR agent installation packages

Cortex XSIAM has expanded our public API to include a new endpoint for deleting specific Cortex XDR agent installation packages.

Engines

Feature

Description

Enhanced engine upgrades

Gain greater flexibility and control over the upgrade process by setting upgrade variables, such as https_proxy, using a new upgrade.conf file.

Note

You can use this feature when upgrading engines to Cortex XSIAM 2.6 and later.

Platform support

Cortex XSIAM now supports the following platforms for engine installation:

  • RHEL version 9.5

  • Oracle Linux version 9.4

  • Amazon Linux 2023

  • Ubuntu 24.04

Automations

FEATURE

DESCRIPTION

Playbook collapsible sections

Increase productivity and efficiency in your workflow management by enabling users to stay focused on the relevant playbook details without distraction and easily navigate through complex playbooks.

A new look and feel for playbooks

Improve playbook readability and clarity through an updated look and feel. Changes include:

  • New colors and icons for task types

  • A pending status for tasks while the playbook is running

  • Descriptions in playbook headers

  • Task and header descriptions are accessible via the "i" icon

Role-based access control for integration commands

Cortex XSIAM now allows users to leverage role-based access control (RBAC) to restrict integration commands to specific roles. You can set different permission levels for the same command across multiple instances of the same integration, offering greater flexibility and control over user access.

Expanded coverage for automated exposure remediation

(Requires the Attack Surface Management (ASM) add-on license)

The newly added support for Kubernetes Control Plane Component, LDAP Server, NetBIOS Name Server, NFS Rpcbind Server, Rpcbind Server, and SMB Server, enable you to save time and reduce manual work across a broader set of attack surface exposures.

Marketplace content

FEATURE

DESCRIPTION

Response & Remediation Content Pack

The Response and Remediation content pack for Cortex XSIAM enables security teams to efficiently address threats through automation. The playbooks in the content pack are tightly coupled to issues, streamlining incident response, providing precision and safety while leveraging advanced security knowledge.