September 2024 - Release Notes - Cortex XSIAM - Cortex

This section describes the new features and updates of the Cortex XSIAM 2.4 release.

Release Highlights

The Cortex XSIAM 2.4 release includes the following highlights:

FEATURE	DESCRIPTION
Cortex Copilot	Cortex Copilot is an AI-powered tool designed to streamline processes by simplifying incident investigation and remediation. It enables you to seamlessly uncover new insights on hashes, hosts, and more. You can get tailored suggestions, access the Help Center, and run actions in natural language from anywhere without losing context.
New Enterprise Multi-Tenant & MSSP licensing model	Introducing a new Enterprise Multi-Tenancy and Managed Security Service Providers (MSSPs) licensing model for Cortex XSIAM, streamlining the license management and monetization of child tenants. The new license allows MSSPs to own and manage child tenants on demand directly from the Gateway, in addition to the existing MSSP model. For Enterprise Multi-Tenancy administrators, the model provides a productized data segregation solution, offering greater flexibility when managing different business units.
New license tier: Cortex XSIAM NG SIEM	XSIAM delivers the best security outcomes, transforming security operations while integrating SIEM and EDR. For customers who may not be able to replace both their SIEM and endpoint solutions simultaneously, Cortex is introducing a new Cortex XSIAM NG SIEM base tier that does not include XDR agents as part of the license. This allows for a gradual approach towards full XSIAM adoption, replacing legacy, costly SIEM platforms, and providing a foundational step for a future upgrade to a full SOC transformation with the XSIAM Enterprise/Plus license.
Native 3rd-party EDR support	Introducing native EDR collectors for CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint. This integration empowers customers to take advantage of certain advanced XSIAM capabilities while maintaining access to all standard SIEM capabilities through raw 3rd-party EDR data ingestion.
Enhanced Palo Alto Networks NGFW integration process	To streamline Palo Alto Networks NGFW Integrations, Cortex XSIAM now supports the onboarding of NGFW from multiple CSP accounts. Customers with multiple accounts can connect all of their accounts into a single Cortex tenant, ensuring the completeness of their data and also leverage the capabilities we offer through our native collector.
New RBAC Dataset Views	To enhance data efficiency and security, Cortex XSIAM now supports creating Dataset Views in the Dataset Management page. Dataset Views provide a virtual representation of data from one or more datasets, based on the XQL query defined, and provide multiple benefits such as joining datasets into logical subsets through defined queries, manipulating data without altering underlying datasets, and segregating data for specific user needs or access privileges through the Role-based access control (RBAC) settings.

FEATURE

DESCRIPTION

Cortex Copilot

Cortex Copilot is an AI-powered tool designed to streamline processes by simplifying incident investigation and remediation. It enables you to seamlessly uncover new insights on hashes, hosts, and more. You can get tailored suggestions, access the Help Center, and run actions in natural language from anywhere without losing context.

New Enterprise Multi-Tenant & MSSP licensing model

Introducing a new Enterprise Multi-Tenancy and Managed Security Service Providers (MSSPs) licensing model for Cortex XSIAM, streamlining the license management and monetization of child tenants.

The new license allows MSSPs to own and manage child tenants on demand directly from the Gateway, in addition to the existing MSSP model.

For Enterprise Multi-Tenancy administrators, the model provides a productized data segregation solution, offering greater flexibility when managing different business units.

New license tier: Cortex XSIAM NG SIEM

XSIAM delivers the best security outcomes, transforming security operations while integrating SIEM and EDR. For customers who may not be able to replace both their SIEM and endpoint solutions simultaneously, Cortex is introducing a new Cortex XSIAM NG SIEM base tier that does not include XDR agents as part of the license. This allows for a gradual approach towards full XSIAM adoption, replacing legacy, costly SIEM platforms, and providing a foundational step for a future upgrade to a full SOC transformation with the XSIAM Enterprise/Plus license.

Native 3rd-party EDR support

Introducing native EDR collectors for CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint. This integration empowers customers to take advantage of certain advanced XSIAM capabilities while maintaining access to all standard SIEM capabilities through raw 3rd-party EDR data ingestion.

Enhanced Palo Alto Networks NGFW integration process

To streamline Palo Alto Networks NGFW Integrations, Cortex XSIAM now supports the onboarding of NGFW from multiple CSP accounts.

Customers with multiple accounts can connect all of their accounts into a single Cortex tenant, ensuring the completeness of their data and also leverage the capabilities we offer through our native collector.

New RBAC Dataset Views

To enhance data efficiency and security, Cortex XSIAM now supports creating Dataset Views in the Dataset Management page. Dataset Views provide a virtual representation of data from one or more datasets, based on the XQL query defined, and provide multiple benefits such as joining datasets into logical subsets through defined queries, manipulating data without altering underlying datasets, and segregating data for specific user needs or access privileges through the Role-based access control (RBAC) settings.

Feature Enhancements

The Cortex XSIAM 2.4 release includes the following enhancements:

General

FEATURE	DESCRIPTION
AI-powered PowerShell examination	AI-based PowerShell script examination is now available in the Windows Malware Profile, providing additional security measures and flexibility to block, quarantine, or report malicious files.
Bring Your Own Keys (BYOK) enhancements	Cortex XSIAM now enables you to gain full control over the availability of tenant data with the BYOK key disabling functionality.
Export&Import Correlation Rules, Dashboards, and Report Templates	You can now export and import Correlation Rules, Dashboards, and Report Templates in a JSON format through the user interface. Easily transfer configurations between different environments, whether for onboarding, migration, backup, or sharing.
Streamlined control over Linux operational mode	The Agent Operation Mode setting in the Linux Agent Settings Profile is available now, enabling administrators to select a Userspace fallback mode when Kernel Mode is unavailable. This fallback mode allows administrators to balance performance and stability according to their needs while enhancing customization and control over agent operations.
Attack Surface Management scanning enhancements (Requires the Attack Surface Management add-on license)	Cortex XSIAM now performs periodic discovery scans across global IPv4 address space for all 65k ports and on 60+ additional protocols. Once a service is found, we scan it daily until it becomes inactive. These enhancements reduce the possibility of important exposures being missed, making it easier for you to secure your attack surface.
Version column added to Alerts (Requires the Attack Surface Management add-on license)	A software version column has been added to the Alerts table for Attack Surface Management alerts, enabling you to export and filter on the detected software version.
Exclude enrichment of indicators	Indicators can now be marked as Enrichment Excluded in Cortex XSIAM. This gives you better control over your indicators and the ability to optimize system performance by managing the indicator enrichment process. For each indicator of type: IP, Domain, Email, URL, and File you can select whether to enable or disable enrichment calls. This allows you to conserve system resources when dealing with known indicators. Specific feeds ("Allow list" feeds) can be set as an Enrichment Excluded feed through its instance parameters excluding all of the IOCs ingested by it from being enriched.
Generic Persistence Analytics	Cortex XSIAM introduces advanced analytics-based generic detection suites to trigger alerts for start-up persistence techniques used by threat actors. These suites can point to the abused persistence mechanism and aid in the hunt for novel persistence techniques by identifying anomalous process execution on startup.
Analytics Tags Highlights	Cortex XSIAM has updated the detectors inventory, introducing new analytics into both new and existing tags. Cloud Lateral Movement Analytics: Detection of abnormal usage patterns of cloud-native services and capabilities, identifying techniques used by attackers to move laterally within a cloud environment after initial access. Cloud Serverless Function Credentials Theft Analytics: Detection of attempts to use stolen credentials from cloud serverless functions, identifying unusual usage patterns to prevent unauthorized access and malicious activities within the cloud environment. NDR SSH Analytics (new): SSH anomalies detection using enhanced application logging and Analytics capabilities to identify techniques used by attackers for lateral movement. NDR FTP Analytics (new): FTP anomalies detection using enhanced application logging and Analytics capabilities to identify techniques used by attackers for authentication and impersonation. LDAP Analytics (Server): Detects abnormal LDAP activity on domain controllers, identifying Active Directory enumeration attempts and potential attacks targeting directory services. LDAP Analytics (Client): Detects abnormal LDAP activity on client machines, identifying suspicious queries and potential Active Directory enumeration attacks. LDAP Analytics: Detects abnormal LDAP activity to identify Active Directory enumeration and potential attacks. Honey User Analytics: Detects interactions with accounts tagged as decoy honey users, accounts crafted to appear legitimate, designed to lure attackers and expose malicious activity. Okta Audit Analytics: Detects unusual audit activity within Okta to prevent unauthorized access, suspicious actions, and potential security misconfigurations. O365 DLP Analytics: Detects activity involving DLP-sensitive data within Microsoft Office 365 to detect data leaks and unauthorized access to sensitive information.
In-product support case	Cortex XSIAM now attaches the license JSON file when creating in-product support cases, streamlining the support process for efficient handling of licensing-related issues.
New search field on the Configurations page	A new search field on the Configurations page provides a fast and easy search of your configuration options.
Attack Surface Management automation improvements (Requires the Attack Surface Management add-on license)	Added support for retrieving the hierarchy of an Azure Compute instance. Increased coverage for remediation of the following attack surface rules: TFTP Server Libssh Insecure Bitvise SSH Server Insecure SFTPGo
New attack surface rules and attack surface tests (Requires the Attack Surface Management add-on license)	Detect and verify new risks with the introduction of more than 30 attack surface rules and 40 attack surface tests.

FEATURE

DESCRIPTION

AI-powered PowerShell examination

AI-based PowerShell script examination is now available in the Windows Malware Profile, providing additional security measures and flexibility to block, quarantine, or report malicious files.

Bring Your Own Keys (BYOK) enhancements

Cortex XSIAM now enables you to gain full control over the availability of tenant data with the BYOK key disabling functionality.

Export&Import Correlation Rules, Dashboards, and Report Templates

You can now export and import Correlation Rules, Dashboards, and Report Templates in a JSON format through the user interface. Easily transfer configurations between different environments, whether for onboarding, migration, backup, or sharing.

Streamlined control over Linux operational mode

The Agent Operation Mode setting in the Linux Agent Settings Profile is available now, enabling administrators to select a Userspace fallback mode when Kernel Mode is unavailable.

This fallback mode allows administrators to balance performance and stability according to their needs while enhancing customization and control over agent operations.

Attack Surface Management scanning enhancements

(Requires the Attack Surface Management add-on license)

Cortex XSIAM now performs periodic discovery scans across global IPv4 address space for all 65k ports and on 60+ additional protocols. Once a service is found, we scan it daily until it becomes inactive. These enhancements reduce the possibility of important exposures being missed, making it easier for you to secure your attack surface.

Version column added to Alerts

(Requires the Attack Surface Management add-on license)

A software version column has been added to the Alerts table for Attack Surface Management alerts, enabling you to export and filter on the detected software version.

Exclude enrichment of indicators

Indicators can now be marked as Enrichment Excluded in Cortex XSIAM. This gives you better control over your indicators and the ability to optimize system performance by managing the indicator enrichment process.

For each indicator of type: IP, Domain, Email, URL, and File you can select whether to enable or disable enrichment calls. This allows you to conserve system resources when dealing with known indicators.

Specific feeds ("Allow list" feeds) can be set as an Enrichment Excluded feed through its instance parameters excluding all of the IOCs ingested by it from being enriched.

Generic Persistence Analytics

Cortex XSIAM introduces advanced analytics-based generic detection suites to trigger alerts for start-up persistence techniques used by threat actors. These suites can point to the abused persistence mechanism and aid in the hunt for novel persistence techniques by identifying anomalous process execution on startup.

Analytics Tags Highlights

Cortex XSIAM has updated the detectors inventory, introducing new analytics into both new and existing tags.

Cloud Lateral Movement Analytics: Detection of abnormal usage patterns of cloud-native services and capabilities, identifying techniques used by attackers to move laterally within a cloud environment after initial access.
Cloud Serverless Function Credentials Theft Analytics: Detection of attempts to use stolen credentials from cloud serverless functions, identifying unusual usage patterns to prevent unauthorized access and malicious activities within the cloud environment.
NDR SSH Analytics (new): SSH anomalies detection using enhanced application logging and Analytics capabilities to identify techniques used by attackers for lateral movement.
NDR FTP Analytics (new): FTP anomalies detection using enhanced application logging and Analytics capabilities to identify techniques used by attackers for authentication and impersonation.
LDAP Analytics (Server): Detects abnormal LDAP activity on domain controllers, identifying Active Directory enumeration attempts and potential attacks targeting directory services.
LDAP Analytics (Client): Detects abnormal LDAP activity on client machines, identifying suspicious queries and potential Active Directory enumeration attacks.
LDAP Analytics: Detects abnormal LDAP activity to identify Active Directory enumeration and potential attacks.
Honey User Analytics: Detects interactions with accounts tagged as decoy honey users, accounts crafted to appear legitimate, designed to lure attackers and expose malicious activity.
Okta Audit Analytics: Detects unusual audit activity within Okta to prevent unauthorized access, suspicious actions, and potential security misconfigurations.
O365 DLP Analytics: Detects activity involving DLP-sensitive data within Microsoft Office 365 to detect data leaks and unauthorized access to sensitive information.

In-product support case

Cortex XSIAM now attaches the license JSON file when creating in-product support cases, streamlining the support process for efficient handling of licensing-related issues.

New search field on the Configurations page

A new search field on the Configurations page provides a fast and easy search of your configuration options.

Attack Surface Management automation improvements

(Requires the Attack Surface Management add-on license)

Added support for retrieving the hierarchy of an Azure Compute instance.
Increased coverage for remediation of the following attack surface rules:
- TFTP Server
- Libssh
- Insecure Bitvise SSH Server
- Insecure SFTPGo

New attack surface rules and attack surface tests

(Requires the Attack Surface Management add-on license)

Detect and verify new risks with the introduction of more than 30 attack surface rules and 40 attack surface tests.

Investigation and response

FEATURE	DESCRIPTION
Cortex XSIAM auditing	Cortex XSIAM now enables you to audit and query Cortex authentication logs and activity logs, using Auth and SaaS stories respectively, to track and trigger alerts about attacks that target Cortex XSIAM.

FEATURE

DESCRIPTION

Cortex XSIAM auditing

Cortex XSIAM now enables you to audit and query Cortex authentication logs and activity logs, using Auth and SaaS stories respectively, to track and trigger alerts about attacks that target Cortex XSIAM.

Detection rules

FEATURE	DESCRIPTION
Enhanced preconfigured alert fields mapping in Correlation Rules	Cortex XSIAM has enhanced the preconfigured alert fields mappings when creating or editing Correlation Rules with the following updates in the Alerts Fields Mapping section: Each preconfigured field that is automatically mapped is clearly presented in the user interface. Ability to add another field to the current preconfigured listing.
New Honey User asset role	Cortex XSIAM introduces a new asset role, Honey User, to help detect intrusion and exploitation attempts in your network. A Honey User is a decoy user that looks attractive to potential attackers, with access to many assets. You can configure users with the Honey User asset role to trigger alerts when there is an attempt to use the credentials of these users.

FEATURE

DESCRIPTION

Enhanced preconfigured alert fields mapping in Correlation Rules

Cortex XSIAM has enhanced the preconfigured alert fields mappings when creating or editing Correlation Rules with the following updates in the Alerts Fields Mapping section:

Each preconfigured field that is automatically mapped is clearly presented in the user interface.
Ability to add another field to the current preconfigured listing.

New Honey User asset role

Cortex XSIAM introduces a new asset role, Honey User, to help detect intrusion and exploitation attempts in your network. A Honey User is a decoy user that looks attractive to potential attackers, with access to many assets. You can configure users with the Honey User asset role to trigger alerts when there is an attempt to use the credentials of these users.

Endpoint security

FEATURE	DESCRIPTION
Device control enhancements	Device control profiles for Windows endpoints now provide granular control for both Classic Bluetooth and Bluetooth Low Energy (BLE) devices. Permanent and temporary exceptions can also be configured. This additional control hardens communication with these types of peripheral devices.
Device control violation notifications	Under the User Interface settings, device control violation notifications may be disabled or enabled on endpoints running agent version 8.6 and later. Notifications displayed on the agent are enabled by default.
New exception configuration - Disable Prevention and Injection	Cortex XSIAM has added the exception configuration 'Disable Prevention and Injection'. This enables you to quickly address process issues. You can temporarily implement an exception rule to bypass a process from prevention modules and injections. Alerts are still generated from data collections.
Windows support for Cortex XDR agent for Cloud	The Prisma cloud vulnerability and compliance scanner integrated with the Cortex XDR agent now provides a unified agent that gives runtime security including vulnerability and compliance for Windows, matching the functionality on Linux-based operating systems. Windows Cortex XDR agent's security alerts and vulnerability data are now seamlessly forwarded and displayed in the Prisma console, enhancing comprehensive cloud security management without requiring special configuration

XDR Collectors

Windows 1.4.2.1373 and Linux 1.4.2.1302

For more information on maintenance releases, see Maintenance Releases.

FEATURE	DESCRIPTION
XDR Collectors 1.4.2	This release includes performance improvements and bug fixes.

FEATURE

DESCRIPTION

XDR Collectors 1.4.2

This release includes performance improvements and bug fixes.

Broker VM

Version 25.0.44 (reboot required)

For more information on maintenance releases, see Maintenance Releases.

FEATURE	DESCRIPTION
Broker VM 25.0.44	This release includes performance improvements and bug fixes.

FEATURE

DESCRIPTION

Broker VM 25.0.44

This release includes performance improvements and bug fixes.

External data ingestion and management

FEATURE	DESCRIPTION
Improved handling of NGFW log ingestion in CEF format	Palo Alto Networks NGFW logs ingested in CEF format using the Syslog collector provide similar protection, out-of-the-box data modeling and analytics to logs ingested into Strata Logging Service (SLS). This ingestion option can be used when NGFW devices are in locations that are not supported by SLS, or when bandwidth issues are encountered due to large log size.
Improved email ingestion flows for GSuite	Enhanced Gmail collection capabilities now collect data from a list of email addresses, instead of from compliance email. This enhancement provides you with the flexibility to only collect a subset of the mailboxes or distribution lists used in your environment.
Improved email ingestion flows for Microsoft 365	The new Microsoft 365 (formerly Office 365) email collector provides easy set up. Emails are fetched through the API, using an authorized app in your Microsoft Azure tenant, so that a compliance mailbox is no longer required.

FEATURE

DESCRIPTION

Improved handling of NGFW log ingestion in CEF format

Palo Alto Networks NGFW logs ingested in CEF format using the Syslog collector provide similar protection, out-of-the-box data modeling and analytics to logs ingested into Strata Logging Service (SLS). This ingestion option can be used when NGFW devices are in locations that are not supported by SLS, or when bandwidth issues are encountered due to large log size.

Improved email ingestion flows for GSuite

Enhanced Gmail collection capabilities now collect data from a list of email addresses, instead of from compliance email. This enhancement provides you with the flexibility to only collect a subset of the mailboxes or distribution lists used in your environment.

Improved email ingestion flows for Microsoft 365

The new Microsoft 365 (formerly Office 365) email collector provides easy set up. Emails are fetched through the API, using an authorized app in your Microsoft Azure tenant, so that a compliance mailbox is no longer required.

Cortex Query Language (XQL)

FEATURE	DESCRIPTION
New XQL windowcomp stage and functions	Cortex Query Language (XQL) now supports a new windowcomp stage that precedes functions calculating statistics. The results compute values over a group of rows and return a single result for each row. This stage includes the following functions: Numbering functions, such as `rank` and `row_number` Navigation functions, such as `first_value` and `last_value` Statistical aggregate functions, such as `stddev_sample` and `stddev_population` Aggregate functions, such as `avg` and `sum` Read more in windowcomp.
New XQL array_any and array_all functions	Cortex Query Language (XQL) now supports the following new array functions: `array_any`: Returns `true` when at least 1 element in a particular array matches the condition in the specified array element. Read more in array_any. `array_all`: Returns `true` when all the elements in a particular array match the condition in the specified array element. Read more in array_all.
External Services XQL dataset enhancements (Requires the Attack Surface Management add-on license)	Cortex XSIAM has enhanced the external services XQL dataset to include more detailed CVE data and additional service classification and geolocation information. This enhanced dataset will enable you to configure more targeted custom alerting and more detailed custom dashboards.

FEATURE

DESCRIPTION

New XQL windowcomp stage and functions

Cortex Query Language (XQL) now supports a new windowcomp stage that precedes functions calculating statistics. The results compute values over a group of rows and return a single result for each row. This stage includes the following functions:

Numbering functions, such as rank and row_number
Navigation functions, such as first_value and last_value
Statistical aggregate functions, such as stddev_sample and stddev_population
Aggregate functions, such as avg and sum

API

FEATURE	DESCRIPTION
XQL query quotas	New return fields in `/public_api/v1/xql/get_quota` increase visibility of XQL query quotas for XQL queries run using the public API.

FEATURE

DESCRIPTION

XQL query quotas

New return fields in /public_api/v1/xql/get_quota increase visibility of XQL query quotas for XQL queries run using the public API.

Marketplace content

FEATURE	DESCRIPTION
Unit42 Threat Brief - Fighting Ursa	This playbook handles Unit42 Threat Brief - Fighting Ursa. The playbook will: Collect, Extract and Enrich Indicators Indicator Based Threat Hunting Suggest relevant mitigation For more information, see Unit42 Threat Brief- Fighting Ursa.
Sigma indicator type	Added a new indicator type, which is part of the Sigma content pack. For more information, see the Sigma content pack.

FEATURE

DESCRIPTION

Unit42 Threat Brief - Fighting Ursa

This playbook handles Unit42 Threat Brief - Fighting Ursa. The playbook will:

Collect, Extract and Enrich Indicators
Indicator Based Threat Hunting
Suggest relevant mitigation

For more information, see Unit42 Threat Brief- Fighting Ursa.

Sigma indicator type

Added a new indicator type, which is part of the Sigma content pack. For more information, see the Sigma content pack.

Changed Features

The Cortex XSIAM 2.4 release includes the following changes to existing functionality:

COMPONENT	AREA	DESCRIPTION
Top Incidents widget	Widget Library	The Top Incidents widget has been renamed to Top Open Incidents. This widget appears on the Incident Management dashboard.

COMPONENT

AREA

DESCRIPTION

Top Incidents widget

Widget Library

The Top Incidents widget has been renamed to Top Open Incidents. This widget appears on the Incident Management dashboard.

September 2024 - Release Notes - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Release Notes

Release Highlights

Feature Enhancements

General

Investigation and response

Detection rules

Endpoint security

XDR Collectors

Broker VM

External data ingestion and management

Cortex Query Language (XQL)

API

Marketplace content

Changed Features