This section describes the new features and updates of the Cortex XSIAM 2.0 release.
The Cortex XSIAM 2.0 release includes the following highlights:
Feature | Description |
---|---|
XSIAM Command Center | You can now gain immediate visibility to the security outcomes of your security operations center with the new Cortex XSIAM Command Center dashboard. On the dashboard you can see a dynamic overview of your tenant activity, detailing the data sources, ingestion rates, alerts, and incidents. |
Cortex Copilot | The new Cortex Copilot is a conversational AI tool that helps improve security and streamline the SOC processes. Using natural language, analysts can now interact with the Cortex Copilot from anywhere in the product without losing context, get security insights, perform administrative tasks, and enhance security by simplifying incident triaging, investigation, and remediation actions. Early access to a preview version of the Cortex Copilot is available upon request. |
Free text search | To streamline and simplify your search capabilities, Cortex XSIAM provides a new Free text search template and XQL stage that enable you to search for specific text in all or some of your datasets. Read more in Free Text Search Template. |
MITRE ATT&CK Coverage dashboard | You can now see a comprehensive overview of the Cortex XSIAM content and capabilities in context with the MITRE ATT&CK framework. The MITRE ATT&CK Framework Coverage dashboard shows a breakdown of the protection modules and detection rules in place for each MITRE tactic and technique and can help you to understand which elements affect your coverage. In addition, you can now tag scheduled queries with MITRE tactics. |
XSIAM Jupyter Notebooks | Cortex XSIAM introduces Bring Your Own Machine Learning (BYOML) with Jupyter Notebooks, which unlocks the full potential of Cortex XSIAM as a primary data platform. With this app, you can extract insights and identify anomalies. You can also develop your analytics and investigation workbooks and feed your insights into the Cortex XSIAM environment. Benefit from enhanced data accessibility and lower extraction costs as you operate within a unified workspace. Read more in Jupyter Notebooks Integration. |
Flexible hot storage retention license | To help accommodate varying storage requirements for different retention periods and datasets, Cortex XSIAM now includes a new additional Hot Storage license. This license enables you to set the amount of flexible Hot Storage based retention designated for a dataset and the priority for the dataset’s Hot Storage. You can purchase this storage-based license instead of our current period-based retention license, which is managed from the Dataset Management page. Read more in License Retention and Dataset Management. |
Embedded support case creation | To streamline support case creation, you can now open a support case directly from anywhere in Cortex XSIAM. Opening the case directly from Cortex XSIAM allows the relevant context to be included, such as the option to record the console, which enables the issue to be handled more efficiently. |
New XQL incidents and alerts datasets | To help you query data related to the Incidents and Alerts tables, Cortex XDR now includes new datasets called incidents and alerts. |
The Cortex XSIAM 2.0 release includes the following enhancements:
General
Feature | Description |
---|---|
Security modules | Cortex XSIAM introduces new prevention modules that provide more detection and protection coverage capabilities:
|
Out-of-the-box analytics for XDM authentication data | Cortex XSIAM enhances detection by enabling analytics to run on all mapped Cortex Data Model (XDM) authentication data. Example analytics include, SSO Brute Force, SSO Impossible traveler, and Suspicious SSO authentication. Read more in MODEL. |
New Broker VM image | Cortex XSIAM now includes a new Broker VM image with enhanced capabilities, as well as an updated operating system (Ubuntu 20.04). Going forward, upgrading Broker VMs to a new version will only be supported by brokers installed with this new image. Instructions for migrating your brokers to the new image are explained here. |
Custom incident statuses and resolution types | To help align the incident management process with your organization's security practices, you can now create custom incident statuses and custom resolution types. |
New Cortex In-App documentation | Cortex XSIAM now includes in-product documentation that helps you find information about new and existing features, reference material, and common workflows. While you're working with Cortex products (XSIAM), the documentation will launch relative to your current location from within the product. Stay tuned for the Help Chat (which will gradually be rolled out) as part of the In-App Help Center. With the AI driven chat-based help, you will be able to ask questions about features and tasks and immediately receive a response. |
MBR Protection Module | Cortex XSIAM introduces an improved detection engine on the Cortex XDR agent to enhance its protection against malicious Master Boot Record (MBR) manipulations. |
New incident lifecycle widgets | New and improved widgets help you measure the operational efficiency of incident and alert handling, and identify issues in the incident response process. The widgets identify peaks in incident and alert creation, provide visibility into the incident lifecycle, and help balance workloads by identifying the incidents assigned to each analyst:
|
Enabling automatic backup in Cortex XSIAM | To better secure your machines against ransomware attacks, a new solution based on native operating system backup mechanisms (Time Machine from MacOS and Shadow Copy from Windows) allows customers to turn on automatic machine backups from Cortex XDR. |
Cortex SSO improvements | For SSO configuration of Cortex XSIAM, you now have the option to enter a metadata URL, rather than manually providing the IdP SSO URL, issuer ID and x.509 certificate. |
Refresh all dashboard widgets | Dashboards now include a refresh icon that updates the data for all dashboard widgets with a single click. |
Analytics Detector Tags | A new tag type, Detector Tags, has been added to Alerts, Incidents, and Analytics BIOC Rules. This tag enables you to filter for specific detectors such as Identity Threat, Identity Analytics, Alert Analytics. The addition of Detector Tags enables more efficient data analysis and threat management. |
Endpoint security
Feature | Description |
---|---|
Risky Prevention Policies Notifications | Cortex XSIAM introduces a new feature that identifies risky prevention policies based on Palo Alto Networks best-practice policy settings. Admins can review and update flagged policies to enhance global security posture. |
XDR Collectors
Windows 1.4.1.1100 and Linux 1.4.1.1046
For more information on maintenance releases, see Maintenance Releases.
Feature | Description |
---|---|
XDR collectors upgraded Filebeat and Winlogbeat versions | Cortex XSIAM now supports using Filebeat and Winlogbeat version 8.8.1 when using XDR collectors on Windows and Linux machines. |
Updated XDR Collectors for Linux and Windows Python versions | Cortex XSIAM has upgraded the XDR Collectors to use Linux Python 3.9.17 and Windows Python 3.7.17 on 32-bit or 64-bit. |
Broker VM
Version 21.1.12
For more information on maintenance releases, see Maintenance Releases.
Feature | Description |
---|---|
Broker VM 21.1.12 | This release includes performance improvements and bug fixes. |
External Data Ingestion and Management
Feature | Description |
---|---|
Lookup management enhancements |
|
Cortex Query Language (XQL)
Feature | Description |
---|---|
New XQL convert_to_base_64 function | Cortex XSIAM now supports a new function called convert_to_base_64, which converts the base64-decoded input to the encoded string format. See more in convert_to_base_64. |
New XQL datasets subset of xdr_data | To provide faster query results, instead of querying the entire
The fields contained in any of these datasets are a subset of the fields in the |
Enrich query templates in XQL | You can now edit queries that were built with simple search templates in XQL. With this flexibility, you can enrich the basic queries created by templates for more detailed investigation, or use the templates as a starting point for creating complex queries with full XQL functionality. |
New system field added to XDR Collectors datasets | A new system field called |
Playbooks
Feature | Description |
---|---|
Cloud Data Exfiltration | This playbook responds to and investigates alerts from XSIAM analytics about data exfiltration activity in a cloud environment. It enriches all relevant data and performs investigation actions, such as IP address prevalence checks, bucket enumeration, and persistence mechanism by the attacker IP. Based on the enrichment and investigation results, the playbook performs remediation actions. This playbook is included in the Cloud Incident Response pack. |
Cloud Key Rotation | An important aspect of every cloud playbook is handling compromised credentials. This playbook is one of the main building blocks for cloud investigation and response playbooks. It quickly and efficiently responds to rotate compromised credentials based on their type, performing actions, such as resetting passwords and changing credential profiles. This playbook is included in the Cloud Incident Response pack. |
Identity Threat Detection and Remediation (ITDR) | New ITDR enhancements enable organizations to more effectively detect and manage risky users and hosts. Cortex XSIAM playbooks can now identify identity threats and empower analysts to make informed decisions based on calculated risk for assets in their network. |
The Cortex XSIAM 2.0 release includes the following changes to existing functionality:
Component | Area | Description |
---|---|---|
User Space Mode for Container-Optimized OS (COS) | Container-Optimized OS on Google Cloud Platform | For Google Container-Optimized OS (COS) on Google Cloud Platform, Cortex XDR agent now enforces User Space Mode. Kernel Mode on this platform is no longer supported. |
Total Incident widget | Widget library | The Total Incident widget has been renamed to Open Incidents and includes new functionality. You can now group the graph data by hour, day, or week, and you can choose to display data about incidents or alerts. |
Incident Management Dashboard and Report | Dashboards and Reports | The Incident Management Dashboard and Report templates have been updated to include the new Open Incidents and Open Incidents by Assignee Over Time widgets. |