This section describes the new features and updates of the Cortex XSIAM 1.5 release.
Cortex XSIAM 1.5 includes the following release highlights:
High Availability Cluster for Broker VMs To ensure high availability (HA) in delivering services running on the Broker VM, Cortex XSIAM now includes a Broker VM HA Cluster, which is designed to provide redundancy of the Broker VM components in your network. The Broker VM HA Cluster eliminates the single node as a point of failure in multiple scenarios, such as failed hardware or software crashes, provides high availability and load balancing, and allows streamlined maintenance and upgrades. |
Granular Data Ingestion Metrics and Monitoring To ensure complete and uninterrupted data ingestion, a new monitoring framework offers instant visibility into the health, connectivity, and performance of your data collectors. This includes:
|
Security Modules Cortex XSIAM introduces new prevention modules that provide more detection and protection coverage capabilities. This includes:
|
Compliance Module Ensure your organization is following regulatory guidelines for common security frameworks like PCI, HIPAA, SOX and more with a new Compliance Module. The new module will be sold separately on top of XSIAM and will be available for free for several months after its launch. |
Salesforce.com Data Collector With the new native Salesforce.com integration, Cortex XSIAM can now ingest Salesforce Audit Trail and Security Monitoring events. This includes events such as login history and security events, that are critical for effective monitoring. |
Playground You can now use the Playground to safely develop and test scripts, APIs, commands, etc. In this non-production environment, you can investigate alerts without being connected to a live (active) investigation. |
Incident Context for Playbooks Expand your remediation capabilities during an investigation by gathering insights at an incident context level from multiple alerts. Use the data for automation purposes, such as CLI commands and playbooks. |
Dashboard Drilldowns New Dashboard drilldowns provide users with interactive data insights when clicking on data points, table rows, or other visualization elements. Drilldowns can trigger contextual changes on the dashboard, or they can link to an XQL search, a custom URL, other dashboards, or a report. You can create drilldowns with dynamic parameters in XQL widgets. |
Identity Threat Module Enhancements Get deeper insights into threats and respond more effectively with our asset role enrichments for alerts, incidents, and XQL searches in the Identity Threat Module (ITM). Cortex introduces an improved peer scoring breakdown, a deeper understanding of the current host risk score, and a global host scores view for better risk management of your assets. |
New Broker VM image Cortex XSIAM includes a new image for the Broker VM with an updated operating system (Ubuntu 20.04). |
The Cortex XSIAM 1.5 release includes the following enhancements:
INVESTIGATION AND RESPONSE | |
Identity Threat Module - Risk Score Normalization | To enable a better understanding of the risk score of an asset in the Identity Threat Module, Cortex XSIAM includes a risk level severity in the API. The severity categories are Low, Medium, or High, based on a deep analysis of the incidents in which the asset participated. |
Automatic Enrichment For Asset Role Tags in Alerts and Incidents | Cortex XSIAM now supports automatic enrichment for asset role tags for quick asset role extraction during incident response activities. |
Next-Generation Firewall (NGFW) Network Logs Mapped to Cortex Data Model (XDM) | To improve your investigation capabilities, Cortex XSIAM now maps NGFW network log data from the following datasets to the XDM. This improves the existing detection capabilities on network data.
|
Auditing capabilities | The Management Audit Logs now include auditing of actions for alert layouts, alert layout rules, and alert fields. |
ENDPOINT SECURITY | |
Applying BIOC Rules to Prevention | To provide you with more granularity, Cortex XSIAM now enables you to manage detection separately from prevention when disabling a BIOC rule. |
Password Strength Requirement for Uninstall Password for Agent | To enhance Cortex security measures, a new password strength requirement is now enforced for Uninstall Password in the Agent settings profile. |
Malware Security Profile Capabilities for macOS | The Local File Threat Examination security module is now available for macOS. This provides extra protection for the agent and can optionally quarantine malicious files and terminate malicious processes on the endpoint. |
FORENSICS | |
Triage Public API | Cortex XSIAM has added an API for initiating forensic triage actions. |
AnyDesk Log Support for Forensics | The forensics add-on now includes two new remote access artifacts: AnyDesk Trace Logs and AnyDesk Connection Logs. The addition of these artifacts expands the Cortex XSIAM ability to identify attacker infiltration and persistence within a network. |
EXTERNAL DATA INGESTION AND MANAGEMENT | |
Cortex Data Model (XDM) Improved Error Reporting on Invalid Rules | When running an XDM query, if one of the rules is invalid, this rule is now automatically excluded from the query. |
Okta Data Collector | Additional Okta data collector event types have been added, and are now saved in the saas_audit_logs dataset. |
Event Forwarding Capability | The Google Pub/Sub subscription has been implemented to ensure that you can download each file only once. |
Parsing Rules Improved Error Reporting for Data Collection | The |
NGFW Log Ingestion enhancements | As part of the enhancements to the integration of NGFW through the native Cortex XSIAM data lake, NGFW log ingestion was also enhanced:
|
Device ID Mapping for Fortinet FortiGate firewalls | The |
Run Queries on Rewarmed Data at No Additional Cost | Cold storage queries are now faster and more efficient due to an improved data rewarm algorithm. Rewarmed data is saved in a temporary hot storage cache that is available for subsequent queries on the same time-range at no additional cost. |
XDR COLLECTORS Windows 1.4.0.992 and Linux 1.4.0.907 For more information on maintenance releases, see Maintenance Releases. | |
XDR Collectors Log Monitoring | To monitor the collection health of the XDR Collectors, Cortex XSIAM now provides an out-of-the-box template that collects log files in a designated dataset, |
BROKER VM Version 20.0.96 For more information on maintenance releases, see Maintenance Releases. | |
Broker VM Configuration Import | You can now copy the configuration of a Broker VM to another Broker VM. This also includes applet settings. NoteSupported from Broker VM version 20.0 and later |
Broker VM Local Agent Settings Applet with 50K Agents | Each Local Agent Settings applet on the Broker VM now supports up to 50,000 agents, as opposed to only 10,000. |
Timestamp Format Retrieval Value in the Database Collector Applet. | You can now configure the retrieval value for a timestamp as an integer or a string. The following string timestamp formats are now supported:
|
CORTEX QUERY LANGUAGE (XQL) | |
XQL config case-sensitive Stage Command in Data Model Rules | Cortex XSIAM now supports configuring the XQL |
Enhanced Cortex XQL Schema Reference Guide | The Cortex XQL Schema Reference Guide has been improved to provide the latest fields and field descriptions available in the |
XQL Boolean Operator | The Cortex Query Language (XQL) now includes a new boolean |
XQL getrole Stage for Enriching Events with Specific Roles (Requires Identity Threat Module) | Cortex Query Language (XQL) now includes a NoteThis stage is unsupported in BIOCs and real-time Correlation Rules. |
GATEWAY | |
Gateway Supports View and Manage User-Groups Across All Products | To expand the current gateway capabilities, you can view and manage user-groups across all products. |
Gateway Supports View and Manage RBAC Settings Across All Products | To expand the current gateway capabilities, you can view and manage tenants and role-based access control (RBAC) settings across all products. |
GENERAL | |
Support Encryption for Download Files | To improve security measures, you can configure a password for all files that were downloaded during an investigation by the Cortex XDR agent. |
The Cortex XSIAM 1.5 release includes the following changes to existing functionality:
Component | Area | Description |
|---|---|---|
Data Ingestion Dashboard | Dashboards | Due to a calculation change in NGFW log ingestion and improvements to data ingestion metrics, you cannot view data earlier than July 2023 on the Data Ingestion Dashboard. However, you can still view this data by running Cortex XQL Language (XQL) queries on the |
xdr_data dataset | Field mapping | Fields that used to be mapped from the "other" field to the schema are now extracted from the "other" field into the xdr_dataset as standalone fields, and a new JSON field called "other_json" has been introduced. From now on, the "other_json" field will hold unmapped fields. The "other" field is deprecated and will have the NULL value for any new ingested data. |
All Endpoints page | Network Interfaces | The All Endpoints page, Network Interface column now displays network interface attributes in JSON format. |
Query center | Query Builder | The Query Center table is now automatically filtered by user-driven queries. |
And Operator | XQL | Since most databases usually recognize the For example, previously, when the This change will affect any previous queries that you have saved, since before the Cortex XSIAM 1.5 release, which use the |
Join Stage | XQL | Cortex XSIAM has made some improvements to the |
Okta Data Collector | Datasets | Three event types that were previously saved in xdr_data are now saved in saas_audit_logs: user.mfa.factor.activate user.mfa.factor.deactivate user.mfa.attempt_bypass |