June 2024 - Release Notes - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Release Notes

Product
Cortex XSIAM
Creation date
2024-05-06
Last date published
2024-09-05
Category
Release Notes

This section describes the new features and updates of the Cortex XSIAM 2.3 release.

The Cortex XSIAM 2.3 release includes the following highlights:

FEATURE

DESCRIPTION

Custom incident layout

 

Streamline the investigation process by customizing the incident page layout, enhancing the visibility of important incident-specific fields, data ingested from integrations, and playbooks that can be executed. Incident layouts are customizable by incident type (e.g., phishing, malware, etc.) or based on analyst preference.

Incident SLAs

Effectively monitor and assess key performance indicators (KPIs) by setting SLAs at the incident level, providing a quantifiable approach to efficiently tracking KPIs, obtaining real-time insights into operational performance, and ensuring alignment with established objectives.

Playbook Dev-Prod capabilities

Ensuring efficient playbook creation and deployment, XSIAM now provides a pre-configured development repository for creating automation playbooks, utilizing data ingested from an organization's production tenants, and providing SecOps engineers with Dev-Prod capabilities. The Dev-Prod repository enables engineers to write, test, and revise playbooks in an isolated setting before deploying them to production.

Multi-tenant unified incident view

This feature empowers MSSP and multi-tenant administrators to centralize security operations across their distributed environment with a consolidated view of all incidents within each child tenant. This enables them to take action such as updating incident status, severity, and assignee on behalf of their child tenants.

The Cortex XSIAM 2.3 release includes the following enhancements:

General

FEATURE

DESCRIPTION

Revamped Causality Card

To improve investigation efficiency, the causality card has been revamped with a new interface and layout, enabling users to gain a unified view of the causality chain and focus on the entities that interest them most.

Saved table views

Focus on the data that most matters to you with new table view capabilities. You can now filter table data by domain, context, work queue, or other criteria, and save configurations that support your workflow.

Saved table views are replacing saved filters. Any existing filters will be migrated to a new table view.

Enhanced XDM to alert fields mapping in Correlation Rules

 

 

The Cortex XSIAM preconfigured alert fields mapping in Correlation Rules is now enhanced and includes additional Cortex Data Model (XDM) fields.

Event forwarding confirmation

 

With Cortex XSIAM's setting for 'Enable GB Event Forwarding', before activation, users must confirm that they understand the risks and take full responsibility for sending data beyond the boundary.

Bring Your Own Keys (BYOK) for new tenants

 

Introducing a new encryption option within the Cortex Gateway for new tenant setups: Cortex self-managed Bring Your Own Keys (BYOK).

BYOK enables you to securely import and manage your encryption keys using the Cortex Gateway, enhancing control over your tenant data encryption and accessibility, eliminating reliance on default CSP encryption or third-party key management, and ensuring compliance with stringent regulatory requirements.

Analytics tags highlights

Cortex XSIAM has updated the detectors inventory, introducing new analytics into both new and existing tags:

  • Chromium Extensions Analytics (New) - Detection of malicious browser extensions being loaded or installed, identifying anomalous extensions and installation methods.

  • Malicious Service Analytics (New) - Detection of malicious services being loaded or installed.

  • NDR Lateral Movement Analytics - Advanced lateral movement detection, leveraging Analytics capabilities to identify anomalies in protocols that are used for lateral movement.

  • NDR C2 Analytics - Advanced detection for abnormal network communication that resembles C2 traffic using protocols analysis, local and cross-customer machine learning, and threat intel.

Playbook script to print to incident and alert War Rooms

You can now add a playbook task that prints comments to the parent incident War Room or to another alert War Room, enabling the SOC analyst to view and track changes a playbook makes to incidents or alerts.

Threat Response Center for ASM in XSIAM

(Requires Attack Surface Management add-on license)

Simplify and expedite your response to emergent and global threat events with the Threat Response Center for attack surface management (ASM). The Threat Response Center provides a curated list of critical threat events with event-specific detail views to quickly identify the events that impact your organization, learn more about the risks and how to remediate them, and track remediation efforts.

Redesigned External Service Details

Cortex XSIAM has introduced a redesigned details page for external services, providing a single point of access to all the incidents, alerts, and assets related to a service. The new service details also display a comprehensive list of attack surface test results or inferred CVE intelligence.

Enterprise multi-tenant & MSSP flexible license model (Beta)

Gaining full control of XSIAM tenants, enterprises and MSSPs who require multiple child-tenants for XSIAM now have access, through our Beta program, to their own pool of XSIAM licenses which they can allocate to end-customers, subsidiaries, and business units as needed, using Cortex Gateway for central management of all their tenants.

Investigation and Response

FEATURE

DESCRIPTION

Combined alerts using correlation rules

Using the transaction stage in scheduled correlation rules, you can now group events that come from different datasets to trigger a combined alert.

Endpoint Security

FEATURE

DESCRIPTION

Device control enhancements

Device control profiles for Windows and macOS endpoints now provide granular control for print jobs, in certain conditions.

This additional control hardens communication with these types of peripheral devices or operations.

Shellcode AI protection

New Precision AI-based detection rules for Windows Shellcode protection, leveraging state-of-the-art ML to detect and prevent in-memory shellcode attacks.

Financial protection

Malware profiles for Windows and macOS endpoints now provide protection for cryptocurrency wallets that are stored on endpoints. The growing popularity of cryptocurrencies has created a need to protect cryptocurrency wallets, because they store private keys that are used to access crypto assets.

Benign with low confidence actions

On macOS-based endpoints, new actions are available for executable files that are reported as “benign with low confidence”. This feature adds more granularity to malware detection, and provides enhanced protection against potentially malicious files.

Engines

FEATURE

DESCRIPTION

Add supported Oracle Linux versions

Cortex XSIAM now supports Oracle Linux 8.9 and 9.3 for engine installation.

CentOS 7.x reached End of Life

CentOS 7.x reached End of Life (EOL) on June 30, 2024, and is no longer a supported operating system.

Data Onboarder

FEATURE

DESCRIPTION

Support content packs with multiple integrations

The Data Onboarder now configures the default integration from content packs that have multiple integrations. The default integration of the content pack is indicated in each content pack's documentation.

XDR Collectors

Windows 1.4.1.1100 and Linux 1.4.1.1089

For more information on maintenance releases, see Maintenance Releases.

FEATURE

DESCRIPTION

XDR Collectors 1.4.1

This release includes performance improvements and bug fixes.

Broker VM

Version 24.2.8

For more information on maintenance releases, see Maintenance Releases.

FEATURE

DESCRIPTION

New ability to increase Broker VM disk size

Cortex XSIAM now supports extending the disk space allocated for data caching in the Broker VM to attain better resilience during network and connectivity issues. Read more in Increase Broker VM storage allocated for data caching.

External Data Ingestion and Management

FEATURE

DESCRIPTION

XSIAM Health Monitoring

Monitor the health and integrity of supported Cortex XSIAM resources with XSIAM Health Monitoring. Gain insights into health drifts, such as failure events or status changes, and ensure optimal performance by setting up notifications and automated actions in the following areas:

  • Ingestion - ensure complete and uninterrupted data ingestion with new analytical detectors

  • Collection - instant visibility into the health, connectivity, and performance of your data collectors

  • Correlation - audit, monitoring, and alerts on correlation rule executions

For more information, see About health alerts.

Update lookup datasets using Correlation Rules

Cortex XSIAM now enables updating lookup datasets using Correlation Rules. This includes adding and removing lookup entries so you can better correlate data from a data source you provide with the events in your environment. Read more in Create a Correlation Rule.

Update lookup datasets using the API

Cortex XSIAM now supports using the API to update lookup datasets, which makes it easier to correlate data from the data source to the events in your environment. The following new APIs are supported:

  • add_data - Adds or updates data in a lookup dataset

  • remove_data - Removes data from a lookup dataset

  • get_data - Gets data from a lookup dataset

  • add_dataset - Adds a lookup dataset

  • delete_dataset - Deletes a dataset

  • get_datasets - Gets a list of available datasets

Cortex Query Language (XQL)

FEATURE

DESCRIPTION

New XQL standard deviation comp aggregate functions

Cortex XSIAM now supports using the following XQL standard deviation (STD) comp aggregate functions:

  • stddev_pop: Returns the population (biased) variance of a field.

  • stddev_sample: Returns the sample (unbiased) standard deviation of a field.

Aligned XQL stages descriptions, syntax, and XQL Helper

The XQL query stages, syntax descriptions, and descriptions in the XQL Helper in Cortex XSIAM are now aligned with the descriptions found in the Cortex XSIAM XQL Language Reference guide. This ensures that the same information is provided in all places.

Enhancements to XQL incidr and incidr6 functions and operators

Cortex Query Language (XQL) now supports defining multiple CIDRs with comma separated syntax in the following functions and operators:

  • incidr and incidr6 functions, where it is now possible to run the function on comma separated CIDRs.

  • incidr, not incidr, incidr6, and not incidr6 operators, where it is now possible to run the operator on comma separated CIDRs.

Note

These changes are only supported building a XQL query with the Query Builder or in Correlation Rules.

Forensics

FEATURE

DESCRIPTION

Support Browser Collections in Agent for macOS

Cortex XSIAM now supports Web History searches in Forensic Hunts. Browsers supported are Chrome, Edge, Firefox, Internet Explorer, and Safari along with custom searches for any Chromium-based browser.

The Cortex XSIAM 2.3 release includes the following changes to existing functionality:

COMPONENT

AREA

DESCRIPTION

Alerts

  • Playbook Triggers

  • Starred Alerts

  • Layout rules

  • Alert Exclusions

  • Notification Forwarding Configurations

  • XQL Widgets

  • Scheduled Queries

This release adds new Health alerts that monitor data health and integrity in Cortex XSIAM. On the Alerts page, the new Alert Domain field categorizes alerts as Security or Health.

Please review your existing filter-based rules to ensure their relevance to the intended alert domain. In addition, you must review any XQL based objects that query the alert dataset to determine whether the  alert_domain = "DOMAIN_HEALTH"  or alert_domain = "DOMAIN_SECURITY" filters should be applied.

Ingestion and collection errors

Data ingestion health page

The Data Ingestion Health page has been renamed to Health Alerts and displays alerts that were triggered after July 2024. To see health alerts that were triggered before this date, click Legacy Health Alerts.

Syslog server configured with for Event Notification Forwarding

(Requires an Event Forwarding add-on license)

External data ingestion and data management

Cortex XSIAM infrastructure is now upgraded. As a result, OpenSSL versions past end-of-life prior to 1.1.1 are no longer supported. This change relates specifically to the Syslog server configured in your environment for Event Notification Forwarding.

Going forward, the OpenSSL 1.1.1 version and later are supported. If your Syslog server is running an older OpenSSL version, you should upgrade the Open SSL version immediately to avoid disruptions.

Cortex Data Model

XQL

Cortex Data Model (XDM) queries in Cortex Query Language (XQL) now run more quickly and efficiently by running on datasets explicitly defined, as opposed to running by default on all datasets.

To support this change, the following modifications have been implemented:

  • When writing a XDM query, datamodel is no longer supported without specifying a dataset by using datamodel dataset = <dataset_name> …  or datamodel dataset in (<dataset_name>,...) …

    Note

    While datamodel dataset=* is still supported in the query, we recommend that you specify specific datasets.

  • The Query Builder simple search templates now run on the following datasets by default:

    • Basic, Identity, Endpoint, Network templates: xdr_data

    • Cloud template: \cloud_audit_logs

filter stage

XQL

Cortex XSIAM has changed the behavior of using triple double quotes in a Cortex Query Language (XQL) filter stage with (or without) wildcards, such as | filter <field> = """<text>*""" or | filter <field> in ("""<text>*""", "<text>", "<text>*"). Currently, when using triple double quotes, the query results only include results that exactly match the prefix <text> results, as opposed to previously when the results would display results containing the prefix <text> results. Using single double quotes with the filter stage, now returns the results that contain the <text> specified. Therefore, this change will impact any saved queries, so ensure any queries using this syntax are updated to reflect this behavior change.

Saved filters

Table views

Saved filters have been replaced by saved table views. Any existing saved filters will be migrated into a new table view.

Some high-impact attack surface rules will be enabled for all customers

(Requires Attack Surface Management add-on license)

Attack surface management (ASM)

Cortex XSIAM will be enabling additional attack surface rules for all customers with the ASM add-on license during the Cortex XSIAM 2.3 upgrade. Many of the rules to be enabled are related to IoT (Internet of Things) and operational technology (OT), in addition to other impactful but uncommon rules. Due to the low prevalence of these applications on the public internet, we anticipate this change having minimal impact for most customers while providing faster visibility into critical risks.

Additionally, we will be disabling the Insecure PHP rule by default.

These rule changes will not override any customer applied changes to the enablement status or severity for attack surface rules.

Email structure of forwarded alerts

Forwarded Alert Emails

When an alert is forwarded in an email, the full alert JSON file is now attached to the email and not embedded inside the email body. The email body now includes the following fields:

  • Source

  • Category

  • Action

  • Host

  • Username

  • Starred Alert

  • Excluded Alert

  • Alert ID

  • Incident ID

The attached JSON file’s content includes, with no changes, the rest of the alert information.