February 2024 - Release Notes - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Release Notes
Product
Cortex XSOAR
Version
8
Creation date
2024-02-14
Last date published
2024-04-18
Category
Release Notes
Solution
Cloud
Abstract

New features available in Cortex XSOAR 8, including release highlights, and feature enhancements.

This section describes the new features and updates of the Cortex XSOAR 8.5 release.

Release Highlights

The Cortex XSOAR 8.5 release includes the following highlights:

Feature

Description

(Multi-tenant/MSSP) Enable communication between SOC analysts

You can now quickly invite users from the Main and Child tenants to investigations (including tasks, CLI, and War Room), eliminating wasted time on access control and permissions configuration. You can also easily communicate with end-customers on investigations through copyable links and then send notifications by email/Slack/MS Teams, etc. These improvements position the product as a powerful and efficient solution for MSSPs, helping them improve service delivery and enhance customer satisfaction.

Keep retained incidents

Cortex XSOAR introduces a new incident storage limit and a nominal retention charge for extended incident storage. This enables us to ensure the seamless availability of data and provide you with a reliable and efficient platform

For customers who purchase Cortex XSOAR on or after January 1, 2024, the incident retention policy is now being enforced. Incidents are retained for 180 days after the incident was created in Cortex XSOAR. Incident retention license add-ons can be purchased to extend the retention period.

Users can choose to permanently retain up to 1000 specific incidents depending on their needs. Retained incidents are incidents that are not deleted via the incident retention policy, even after the 180-day retention period and any extension license period.

Retaining an incident can be done for compliance or incident management reasons, to ensure that the most valuable incidents are kept on the tenant and not deleted by retention enforcement or accidental removal.

Assign incident retention licenses for multi-tenant deployments

Managed security service providers can now provide their end customers with different data retention periods, based on individual tenant needs such as regulations or internal compliance policies.

Content repository improvements

It is now easier to configure and manage your content repository in Cortex Gateway and Cortex XSOAR, enabling better control over content management. You can switch between repository types as well as choose the initial synchronization setup, enabling you to develop and maintain Cortex XSOAR content that is aligned with your development processes.

Feature Enhancements

The Cortex XSOAR 8.5 release includes the following enhancements:

General

Feature

Description

Customize system emails

You can now customize a wide range of system emails sent to users, including notifications that a user is mentioned, a task is assigned or completed, an integration failed to fetch incidents, an engine is disconnected, and more. Customized emails provide flexibility when communicating with users, allowing you to include specific details about incidents, relevant data, and other information needed for prompt incident response.

Use an authenticated docker image repository

Use a custom container registry with your authentication credentials to apply custom images created on a private machine. Using your registry enables you to manage access permissions, ensuring that only authorized users can pull and use the custom images. This protects sensitive information and enables more secure and controlled deployment of custom images within the Cortex XSOAR environment.

Playbooks

Feature

Description

Group playbook inputs and outputs

You can now group playbook inputs and outputs, making it easier for security analysts to manage and understand the inputs required for different stages of the playbook. Grouping enhances the playbook's clarity, reduces the likelihood of errors, and facilitates a more streamlined and efficient incident response workflow.

Users and roles

Feature

Description

Add support for user phone numbers

Administrators can now add phone numbers for users on the User Preferences page, which enables playbooks and scripts to trigger direct analyst communication, ensuring seamless collaboration during urgent situations and security incidents.

Incidents

Feature

Description

Improved incident navigation

For SOC analysts working on multiple incidents, next/previous incident navigation buttons provide the ability to navigate between incidents without returning to the Incidents page, saving time and increasing analyst efficiency.

Search War Room notes

You can now search for the text of War Room notes using the Incidents search bar. This new search option enables the SOC analyst to more easily locate incidents and effectively navigate and leverage historical incident data, contributing to improved incident response and knowledge sharing.

API

Feature

Description

Limit access to Cortex XSOAR API

Limit Cortex XSOAR API access to a specific IP address or IP range by adding them to an Allow list. This ensures better data security and control while facilitating integration with third-party systems and applications.

Marketplace Content Changes

This section describes the content changes from October 2023 to February 2024.

Content Packs

Content

Description

Change Type

AWS Organizations

Manage your AWS accounts and resources through Cortex XSOAR. This integration allows you to list accounts, view details, programmatically create new accounts, modify Organizational Units, invite new accounts, tag across accounts, etc.

New

HashiCorp Terraform

Includes an integration to get policy check results and support more commands.

New

Email Hippo

Includes an integration to validate email addresses and domains directly in Cortex XSOAR using Email Hippo's intelligence services.

New

XSOAR Capture the Flag

Introducing a treasure hunt exercise pack, featuring a thrilling Capture the Flag style game. Two playbooks guide you through Capture the Flag. These playbooks are designed to enhance your Cortex XSOAR experience. The first playbook provides a helpful walkthrough of the platform, while the second playbook focuses on investigations.

New

Integrations and Playbooks

Content

Description

Change Type

XDR Lite playbook

Easy to deploy and with no additional integrations needed, this playbook can significantly reduce the time your analysts spend remediating Cortex XDR incidents.

New

Remote PsExec-like LOLBIN Command Execution playbook

Automated investigation and response to PsExec-like LOLBIN command execution alerts from Cortex XDR. This playbook enriches all relevant data and performs investigation actions, such as command-line analysis. Based on the enrichment and investigation results, the playbook performs remediation actions.

New

Microsoft Graph Security integration

The integration now supports creating and retrieving mail, email files, files, and URL threat assessments directly from Cortex XSOAR.

Updated

Azure Log Analytics integration

The integration now allows running Log Analytics search jobs in Cortex XSOAR and getting their results.

Updated

PAN-OS Policy Optimizer integration

The PAN-OS Policy Optimizer integration has been enhanced to support pagination and allow fetching more rules when analyzing firewall policies.

Updated

SplunkPy integration

The Splunk integration has been enhanced to enrich user and asset fields via lookups in Splunk directly within Cortex XSOAR.

Updated

Prisma Cloud Compute - Audit Alert v3 playbook

Enhanced playbooks, allowing SOC and DevOps teams to better streamline their investigations of cloud incidents by adding new remediation and enrichment features that provide rich and contextualized information to drive better decision-making and faster response time

Updated