This section describes the new features and updates of the Cortex XSIAM 2.3 release.
The Cortex XSIAM 2.3 release includes the following highlights:
FEATURE | DESCRIPTION |
---|---|
Custom incident layout
| Streamline the investigation process by customizing the incident page layout, enhancing the visibility of important incident-specific fields, data ingested from integrations, and playbooks that can be executed. Incident layouts are customizable by incident type (e.g., phishing, malware, etc.) or based on analyst preference. |
Incident SLAs | Effectively monitor and assess key performance indicators (KPIs) by setting SLAs at the incident level, providing a quantifiable approach to efficiently tracking KPIs, obtaining real-time insights into operational performance, and ensuring alignment with established objectives. |
Playbook Dev-Prod capabilities | Ensuring efficient playbook creation and deployment, XSIAM now provides a pre-configured development repository for creating automation playbooks, utilizing data ingested from an organization's production tenants, and providing SecOps engineers with Dev-Prod capabilities. The Dev-Prod repository enables engineers to write, test, and revise playbooks in an isolated setting before deploying them to production. |
Multi-tenant unified incident view | This feature empowers MSSP and multi-tenant administrators to centralize security operations across their distributed environment with a consolidated view of all incidents within each child tenant. This enables them to take action such as updating incident status, severity, and assignee on behalf of their child tenants. |
The Cortex XSIAM 2.3 release includes the following enhancements:
General
FEATURE | DESCRIPTION |
---|---|
Revamped Causality Card | To improve investigation efficiency, the causality card has been revamped with a new interface and layout, enabling users to gain a unified view of the causality chain and focus on the entities that interest them most. |
Saved table views | Focus on the data that most matters to you with new table view capabilities. You can now filter table data by domain, context, work queue, or other criteria, and save configurations that support your workflow. Saved table views are replacing saved filters. Any existing filters will be migrated to a new table view. |
Enhanced XDM to alert fields mapping in Correlation Rules
| The Cortex XSIAM preconfigured alert fields mapping in Correlation Rules is now enhanced and includes additional Cortex Data Model (XDM) fields. |
Event forwarding confirmation
| With Cortex XSIAM's setting for 'Enable GB Event Forwarding', before activation, users must confirm that they understand the risks and take full responsibility for sending data beyond the boundary. |
Bring Your Own Keys (BYOK) for new tenants
| Introducing a new encryption option within the Cortex Gateway for new tenant setups: Cortex self-managed Bring Your Own Keys (BYOK). BYOK enables you to securely import and manage your encryption keys using the Cortex Gateway, enhancing control over your tenant data encryption and accessibility, eliminating reliance on default CSP encryption or third-party key management, and ensuring compliance with stringent regulatory requirements. |
Analytics tags highlights | Cortex XSIAM has updated the detectors inventory, introducing new analytics into both new and existing tags:
|
Playbook script to print to incident and alert War Rooms | You can now add a playbook task that prints comments to the parent incident War Room or to another alert War Room, enabling the SOC analyst to view and track changes a playbook makes to incidents or alerts. |
Threat Response Center for ASM in XSIAM (Requires Attack Surface Management add-on license) | Simplify and expedite your response to emergent and global threat events with the Threat Response Center for attack surface management (ASM). The Threat Response Center provides a curated list of critical threat events with event-specific detail views to quickly identify the events that impact your organization, learn more about the risks and how to remediate them, and track remediation efforts. |
Redesigned External Service Details | Cortex XSIAM has introduced a redesigned details page for external services, providing a single point of access to all the incidents, alerts, and assets related to a service. The new service details also display a comprehensive list of attack surface test results or inferred CVE intelligence. |
Enterprise multi-tenant & MSSP flexible license model (Beta) | Gaining full control of XSIAM tenants, enterprises and MSSPs who require multiple child-tenants for XSIAM now have access, through our Beta program, to their own pool of XSIAM licenses which they can allocate to end-customers, subsidiaries, and business units as needed, using Cortex Gateway for central management of all their tenants. |
Investigation and Response
FEATURE | DESCRIPTION |
---|---|
Combined alerts using correlation rules | Using the transaction stage in scheduled correlation rules, you can now group events that come from different datasets to trigger a combined alert. |
Endpoint Security
FEATURE | DESCRIPTION |
---|---|
Device control enhancements | Device control profiles for Windows and macOS endpoints now provide granular control for print jobs, in certain conditions. This additional control hardens communication with these types of peripheral devices or operations. |
Shellcode AI protection | New Precision AI-based detection rules for Windows Shellcode protection, leveraging state-of-the-art ML to detect and prevent in-memory shellcode attacks. |
Financial protection | Malware profiles for Windows and macOS endpoints now provide protection for cryptocurrency wallets that are stored on endpoints. The growing popularity of cryptocurrencies has created a need to protect cryptocurrency wallets, because they store private keys that are used to access crypto assets. |
Benign with low confidence actions | On macOS-based endpoints, new actions are available for executable files that are reported as “benign with low confidence”. This feature adds more granularity to malware detection, and provides enhanced protection against potentially malicious files. |
Engines
FEATURE | DESCRIPTION |
---|---|
Add supported Oracle Linux versions | Cortex XSIAM now supports Oracle Linux 8.9 and 9.3 for engine installation. |
CentOS 7.x reached End of Life | CentOS 7.x reached End of Life (EOL) on June 30, 2024, and is no longer a supported operating system. |
Data Onboarder
FEATURE | DESCRIPTION |
---|---|
Support content packs with multiple integrations | The Data Onboarder now configures the default integration from content packs that have multiple integrations. The default integration of the content pack is indicated in each content pack's documentation. |
XDR Collectors
Windows 1.4.1.1100 and Linux 1.4.1.1089
For more information on maintenance releases, see Maintenance Releases.
FEATURE | DESCRIPTION |
---|---|
XDR Collectors 1.4.1 | This release includes performance improvements and bug fixes. |
Broker VM
Version 24.2.8
For more information on maintenance releases, see Maintenance Releases.
FEATURE | DESCRIPTION |
---|---|
New ability to increase Broker VM disk size | Cortex XSIAM now supports extending the disk space allocated for data caching in the Broker VM to attain better resilience during network and connectivity issues. Read more in Increase Broker VM storage allocated for data caching. |
External Data Ingestion and Management
FEATURE | DESCRIPTION |
---|---|
XSIAM Health Monitoring | Monitor the health and integrity of supported Cortex XSIAM resources with XSIAM Health Monitoring. Gain insights into health drifts, such as failure events or status changes, and ensure optimal performance by setting up notifications and automated actions in the following areas:
For more information, see About health alerts. |
Update lookup datasets using Correlation Rules | Cortex XSIAM now enables updating lookup datasets using Correlation Rules. This includes adding and removing lookup entries so you can better correlate data from a data source you provide with the events in your environment. Read more in Create a Correlation Rule. |
Update lookup datasets using the API | Cortex XSIAM now supports using the API to update lookup datasets, which makes it easier to correlate data from the data source to the events in your environment. The following new APIs are supported:
|
Cortex Query Language (XQL)
FEATURE | DESCRIPTION |
---|---|
New XQL standard deviation comp aggregate functions | Cortex XSIAM now supports using the following XQL standard deviation (STD) comp aggregate functions:
|
Aligned XQL stages descriptions, syntax, and XQL Helper | The XQL query stages, syntax descriptions, and descriptions in the XQL Helper in Cortex XSIAM are now aligned with the descriptions found in the Cortex XSIAM XQL Language Reference guide. This ensures that the same information is provided in all places. |
Enhancements to XQL | Cortex Query Language (XQL) now supports defining multiple CIDRs with comma separated syntax in the following functions and operators:
NoteThese changes are only supported building a XQL query with the Query Builder or in Correlation Rules. |
Forensics
FEATURE | DESCRIPTION |
---|---|
Support Browser Collections in Agent for macOS | Cortex XSIAM now supports Web History searches in Forensic Hunts. Browsers supported are Chrome, Edge, Firefox, Internet Explorer, and Safari along with custom searches for any Chromium-based browser. |
The Cortex XSIAM 2.3 release includes the following changes to existing functionality:
COMPONENT | AREA | DESCRIPTION |
---|---|---|
Alerts |
| This release adds new Health alerts that monitor data health and integrity in Cortex XSIAM. On the Alerts page, the new Alert Domain field categorizes alerts as Security or Health. Please review your existing filter-based rules to ensure their relevance to the intended alert domain. In addition, you must review any XQL based objects that query the alert dataset to determine whether the |
Ingestion and collection errors | Data ingestion health page | The Data Ingestion Health page has been renamed to Health Alerts and displays alerts that were triggered after July 2024. To see health alerts that were triggered before this date, click Legacy Health Alerts. |
Syslog server configured with for Event Notification Forwarding (Requires an Event Forwarding add-on license) | External data ingestion and data management | Cortex XSIAM infrastructure is now upgraded. As a result, OpenSSL versions past end-of-life prior to 1.1.1 are no longer supported. This change relates specifically to the Syslog server configured in your environment for Event Notification Forwarding. Going forward, the OpenSSL 1.1.1 version and later are supported. If your Syslog server is running an older OpenSSL version, you should upgrade the Open SSL version immediately to avoid disruptions. |
Cortex Data Model | XQL | Cortex Data Model (XDM) queries in Cortex Query Language (XQL) now run more quickly and efficiently by running on datasets explicitly defined, as opposed to running by default on all datasets. To support this change, the following modifications have been implemented:
|
filter stage | XQL | Cortex XSIAM has changed the behavior of using triple double quotes in a Cortex Query Language (XQL) |
Saved filters | Table views | Saved filters have been replaced by saved table views. Any existing saved filters will be migrated into a new table view. |
Some high-impact attack surface rules will be enabled for all customers (Requires Attack Surface Management add-on license) | Attack surface management (ASM) | Cortex XSIAM will be enabling additional attack surface rules for all customers with the ASM add-on license during the Cortex XSIAM 2.3 upgrade. Many of the rules to be enabled are related to IoT (Internet of Things) and operational technology (OT), in addition to other impactful but uncommon rules. Due to the low prevalence of these applications on the public internet, we anticipate this change having minimal impact for most customers while providing faster visibility into critical risks. Additionally, we will be disabling the Insecure PHP rule by default. These rule changes will not override any customer applied changes to the enablement status or severity for attack surface rules. |
Email structure of forwarded alerts | Forwarded Alert Emails | When an alert is forwarded in an email, the full alert JSON file is now attached to the email and not embedded inside the email body. The email body now includes the following fields:
The attached JSON file’s content includes, with no changes, the rest of the alert information. |