October 2023 - Release Notes - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Release Notes

Product
Cortex XSIAM
Creation date
2024-05-06
Last date published
2024-09-05
Category
Release Notes

This section describes the new features and updates of the Cortex XSIAM 2.0 release.

The Cortex XSIAM 2.0 release includes the following highlights:

Feature

Description

XSIAM Command Center

You can now gain immediate visibility to the security outcomes of your security operations center with the new Cortex XSIAM Command Center dashboard. On the dashboard you can see a dynamic overview of your tenant activity, detailing the data sources, ingestion rates, alerts, and incidents.

Cortex Copilot

The new Cortex Copilot is a conversational AI tool that helps improve security and streamline the SOC processes. Using natural language, analysts can now interact with the Cortex Copilot from anywhere in the product without losing context, get security insights, perform administrative tasks, and enhance security by simplifying incident triaging, investigation, and remediation actions. Early access to a preview version of the Cortex Copilot is available upon request.

Free text search

To streamline and simplify your search capabilities, Cortex XSIAM provides a new Free text search template and XQL stage that enable you to search for specific text in all or some of your datasets. Read more in Free Text Search Template.

MITRE ATT&CK Coverage dashboard

You can now see a comprehensive overview of the Cortex XSIAM content and capabilities in context with the MITRE ATT&CK framework.

The MITRE ATT&CK Framework Coverage dashboard shows a breakdown of the protection modules and detection rules in place for each MITRE tactic and technique and can help you to understand which elements affect your coverage. In addition, you can now tag scheduled queries with MITRE tactics.

XSIAM Jupyter Notebooks

Cortex XSIAM introduces Bring Your Own Machine Learning (BYOML) with Jupyter Notebooks, which unlocks the full potential of Cortex XSIAM as a primary data platform. With this app, you can extract insights and identify anomalies. You can also develop your analytics and investigation workbooks and feed your insights into the Cortex XSIAM environment. Benefit from enhanced data accessibility and lower extraction costs as you operate within a unified workspace. Read more in Jupyter Notebooks Integration.

Flexible hot storage retention license

To help accommodate varying storage requirements for different retention periods and datasets, Cortex XSIAM now includes a new additional Hot Storage license. This license enables you to set the amount of flexible Hot Storage based retention designated for a dataset and the priority for the dataset’s Hot Storage. You can purchase this storage-based license instead of our current period-based retention license, which is managed from the Dataset Management page. Read more in License Retention and Dataset Management.

Embedded support case creation

To streamline support case creation, you can now open a support case directly from anywhere in Cortex XSIAM. Opening the case directly from Cortex XSIAM allows the relevant context to be included, such as the option to record the console, which enables the issue to be handled more efficiently.

New XQL incidents and alerts datasets

To help you query data related to the Incidents and Alerts tables, Cortex XDR now includes new datasets called incidents and alerts.

The Cortex XSIAM 2.0 release includes the following enhancements:

General

Feature

Description

Security modules

Cortex XSIAM introduces new prevention modules that provide more detection and protection coverage capabilities:

  • Container-escaping protection (Linux): Prevention against malicious attempts at escaping a container to gain access to the Linux host or to other containers.

  • Ransomware Protection (macOS): Enhancement of the defense module to improve the protection against ransomware attacks on macOS endpoints.

Out-of-the-box analytics for XDM authentication data

Cortex XSIAM enhances detection by enabling analytics to run on all mapped Cortex Data Model (XDM) authentication data. Example analytics include, SSO Brute Force, SSO Impossible traveler, and Suspicious SSO authentication. Read more in MODEL.

New Broker VM image

Cortex XSIAM now includes a new Broker VM image with enhanced capabilities, as well as an updated operating system (Ubuntu 20.04).

Going forward, upgrading Broker VMs to a new version will only be supported by brokers installed with this new image.

Instructions for migrating your brokers to the new image are explained here.

Custom incident statuses and resolution types

To help align the incident management process with your organization's security practices, you can now create custom incident statuses and custom resolution types.

New Cortex In-App documentation

Cortex XSIAM now includes in-product documentation that helps you find information about new and existing features, reference material, and common workflows. While you're working with Cortex products (XSIAM), the documentation will launch relative to your current location from within the product.

Stay tuned for the Help Chat (which will gradually be rolled out) as part of the In-App Help Center. With the AI driven chat-based help, you will be able to ask questions about features and tasks and immediately receive a response.

MBR Protection Module

Cortex XSIAM introduces an improved detection engine on the Cortex XDR agent to enhance its protection against malicious Master Boot Record (MBR) manipulations.

New incident lifecycle widgets

New and improved widgets help you measure the operational efficiency of incident and alert handling, and identify issues in the incident response process. The widgets identify peaks in incident and alert creation, provide visibility into the incident lifecycle, and help balance workloads by identifying the incidents assigned to each analyst:

  • Open Incidents

  • Incidents by Status Duration

  • Open Incidents by Assignee Over Time

Enabling automatic backup in Cortex XSIAM

To better secure your machines against ransomware attacks, a new solution based on native operating system backup mechanisms (Time Machine from MacOS and Shadow Copy from Windows) allows customers to turn on automatic machine backups from Cortex XDR.

Cortex SSO improvements

For SSO configuration of Cortex XSIAM, you now have the option to enter a metadata URL, rather than manually providing the IdP SSO URL, issuer ID and x.509 certificate.

Refresh all dashboard widgets

Dashboards now include a refresh icon that updates the data for all dashboard widgets with a single click.

Analytics Detector Tags

A new tag type, Detector Tags, has been added to Alerts, Incidents, and Analytics BIOC Rules. This tag enables you to filter for specific detectors such as Identity Threat, Identity Analytics, Alert Analytics. The addition of Detector Tags enables more efficient data analysis and threat management.

Endpoint security

Feature

Description

Risky Prevention Policies Notifications

Cortex XSIAM introduces a new feature that identifies risky prevention policies based on Palo Alto Networks best-practice policy settings. Admins can review and update flagged policies to enhance global security posture.

XDR Collectors

Windows 1.4.1.1100 and Linux 1.4.1.1046

For more information on maintenance releases, see Maintenance Releases.

Feature

Description

XDR collectors upgraded Filebeat and Winlogbeat versions

Cortex XSIAM now supports using Filebeat and Winlogbeat version 8.8.1 when using XDR collectors on Windows and Linux machines.

Updated XDR Collectors for Linux and Windows Python versions

Cortex XSIAM has upgraded the XDR Collectors to use Linux Python 3.9.17 and Windows Python 3.7.17 on 32-bit or 64-bit.

Broker VM

Version 21.1.12

For more information on maintenance releases, see Maintenance Releases.

Feature

Description

Broker VM 21.1.12

This release includes performance improvements and bug fixes.

External Data Ingestion and Management

Feature

Description

Lookup management enhancements

  • The Files and Folders Collector was enhanced with an option to automatically collect reference data into a lookup dataset. Read more in Activate the Files and Folders Collector.

  • While importing data manually from a file into an existing dataset using the Add Lookup option in the Dataset Management screen, you can now select to replace the existing data in the dataset.

  • You can now manually edit existing lookup datasets to update reference data directly from the console.

Cortex Query Language (XQL)

Feature

Description

New XQL convert_to_base_64 function

Cortex XSIAM now supports a new function called convert_to_base_64, which converts the base64-decoded input to the encoded string format. See more in convert_to_base_64.

New XQL datasets subset of xdr_data

To provide faster query results, instead of querying the entire xdr_data dataset, Cortex XSIAM added the following three datasets:

  • vpn_logs: VPN logs, such as GlobalProtect.

  • auth_logs: Authentication logs, such as Okta.

  • login_logs: Login logs, such as WEC.

The fields contained in any of these datasets are a subset of the fields in the xdr_data dataset.

Enrich query templates in XQL

You can now edit queries that were built with simple search templates in XQL. With this flexibility, you can enrich the basic queries created by templates for more detailed investigation, or use the templates as a starting point for creating complex queries with full XQL functionality.

New system field added to XDR Collectors datasets

A new system field called _collector_internal_ip_address was added to all XDR Collector datasets including Filebeat and Winlogbeat data. This system field provides the internal IP of the endpoint.

Playbooks

Feature

Description

Cloud Data Exfiltration

This playbook responds to and investigates alerts from XSIAM analytics about data exfiltration activity in a cloud environment. It enriches all relevant data and performs investigation actions, such as IP address prevalence checks, bucket enumeration, and persistence mechanism by the attacker IP. Based on the enrichment and investigation results, the playbook performs remediation actions. This playbook is included in the Cloud Incident Response pack.

Cloud Key Rotation

An important aspect of every cloud playbook is handling compromised credentials. This playbook is one of the main building blocks for cloud investigation and response playbooks. It quickly and efficiently responds to rotate compromised credentials based on their type, performing actions, such as resetting passwords and changing credential profiles. This playbook is included in the Cloud Incident Response pack.

Identity Threat Detection and Remediation (ITDR)

New ITDR enhancements enable organizations to more effectively detect and manage risky users and hosts. Cortex XSIAM playbooks can now identify identity threats and empower analysts to make informed decisions based on calculated risk for assets in their network.

The Cortex XSIAM 2.0 release includes the following changes to existing functionality:

Component

Area

Description

User Space Mode for Container-Optimized OS (COS)

Container-Optimized OS on Google Cloud Platform

For Google Container-Optimized OS (COS) on Google Cloud Platform, Cortex XDR agent now enforces User Space Mode. Kernel Mode on this platform is no longer supported.

Total Incident widget

Widget library

The Total Incident widget has been renamed to Open Incidents and includes new functionality. You can now group the graph data by hour, day, or week, and you can choose to display data about incidents or alerts.

Incident Management Dashboard and Report

Dashboards and Reports

The Incident Management Dashboard and Report templates have been updated to include the new Open Incidents and Open Incidents by Assignee Over Time widgets.