October 2023 - Release Notes - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Release Notes
Product
Cortex XSOAR
Version
8
Creation date
2024-02-14
Last date published
2024-04-18
Category
Release Notes
Solution
Cloud
Abstract

New features available in Cortex XSOAR 8, including release highlights, feature enhancements, and Marketplace changes.

This section describes the new features and updates of the Cortex XSOAR 8.4 release.

Release Highlights

The Cortex XSOAR 8.4 release includes the following highlights:

Feature

Description

In-app documentation

Cortex XSOAR now includes in-app documentation, that helps you find information about new and existing features, reference material, and common workflows. While you're working with Cortex XSOAR, the documentation launches relative to your current location from within the product.

Private Repository support in a Dev/Prod environment

When setting up a remote repository you can now select an in-built or private repository, giving you the flexibility to meet your specific development requirements. Cortex XSOAR supports both single and multiple git branches.

Export incidents to Excel

You can now export multiple incidents with detailed information (such as notes, chat, and evidence) from Cortex XSOAR to Excel.

Authenticated communication tasks

You can now ensure secure communication task responses by configuring playbook communication task authentication in the Cortex XSOAR Authentication SettingsCommunication Task Authentication tab. SSO login authentication was moved to the Login Options tab under the same menu.

Feature Enhancements

The Cortex XSOAR 8.4 release includes the following enhancements:

General

Feature

Description

Credentials for long-running integrations

To simplify and save time defining credentials for multiple long-running integrations and external dynamic lists, in the Settings page, you can define credentials in a centralized way for all Long Running Integrations and external dynamic lists.

SSO improvements

For SSO configuration of Cortex XSOAR, you now have the option to enter a metadata URL, rather than manually providing the IdP SSO URL, issuer ID and x.509 certificate.

Hover text buttons

To improve customer experience and ease of use of the UI, tooltips have been added for many buttons in the Cortex XSOAR tenant.

Playbooks

Feature

Description

Filters and transformers

The Filters and Transformers window is redesigned into one pane to improve usability and avoid having several windows to streamline the experience.

Playbook and script improvements

  • To provide an improved Playbook search experience, added the ability to search by playbook's name,  description or tags.

  • The playbooks search results (sorted by modified date), are grouped by the modification date to improve clarity of the results.

Run again button

Run again button has been added to the Work Plan incident tab, enabling you to easily run a playbook again on the same incident.

Users and Roles

Feature

Description

Improvements to user and role permissions

To improve customer experience and consistency in the Cortex Gateway and the Cortex XSOAR tenant, the following improvements have been made to users and roles:

  • When a role is updated in the Cortex Gateway, you can now view the updated role details in the Components tab in the Cortex XSOAR tenant.

  • (Multi-tenant) When updating a user role, a tooltip has been added for Tenant Management, which confirms that the user role can edit content (such as playbooks and scripts) in the parent tenant.

Indicators

Feature

Description

Enrich indicators

Enrichment of indicators is now available whether the verdict was set manually or automatically, which can improve the accuracy of the indicator. Enrichment does not override the manually set verdict.

Calculate and recalculate indicator buttons

To clarify functionality and better reflect the use case, the Calculate and Recalculate buttons (in the Create/Edit indicator windows and in the Indicator Quick view panel) are replaced with Enrich and Save & Enrich buttons.

Marketplace

Feature

Description

Deprecated content in content packs

To streamline the browsing experience, deprecated content entities such as integrations, playbooks, and scripts are now hidden from view by default.

Marketplace Content Changes

This section describes the content changes from July 2023 to October 2023.

General Content

Content

Description

Change Type

CVE Indicator Type Revamp

We have significantly redesigned the way CVEs are displayed and stored as indicators for Threat Intelligence Management. This feature is designed to to make as much data available as possible for users to query and to use CVEs in incident investigations and vulnerability management.

Updated

Integrations and Playbooks

Content

Description

Change Type

Prisma Cloud v2 Integration

Alert and Incident Mirroring

Implemented alert and incident mirroring between Prisma Cloud and Cortex XSOAR. When an alert or incident is open or closed it is automatically synchronized between the two platforms.

This streamlined process saves both time and resources while providing a convenient way to monitor and manage alerts and incidents.

New Commands

Incorporated additional new commands for retrieving resource lists, user roles, and user details.

These enhancements empower users to access vulnerabilities and compliance/configuration data through Cortex XSOAR and deliver this information to the relevant resource owners.

Updated

Palo Alto Networks Enterprise DLP Integration

General improvements to the integration, such as the fetch timeframe, better descriptions, and playbook inputs.

In addition, four new playbooks were added to support better usage of this integration:

  • Get Approval

  • Get User Feedback

  • Get User Feedback via Email

  • User Message App Check

Updated

Azure DevOps Integration

  • New commands have been added, allowing users to open, edit, and close pull requests (PRs) in GitLab directly from Cortex XSOAR.

  • Added support installation from ADO (Azure Artifacts).

Updated

CrowdStrike Falcon Horizon (CSPM) Integration

Falcon Horizon simplifies the management of cloud security posture throughout the application lifecycle in any cloud environment.

This integration utilizes the API to retrieve alerts, establish an incident type, facilitate policy management, and synchronize alerts between Falcon Horizon and Cortex XSOAR.

New

Microsoft Purview

Microsoft Purview is a data governance service that helps organizations discover, classify, and manage their data assets across different platforms and sources. It provides a unified view of data, enabling data discovery, classification, and tracking data lineage.

This integration enables you to easily retrieve and manage DLP events, create and manage eDiscovery cases, and oversee alerts within the Microsoft Graph Security integration.

New

Cortex XDR Cloud Data Exfiltration Playbook

This playbook responds to and investigates alerts from XDR analytics about data exfiltration activity in a cloud environments. It enriches all relevant data and performs investigation actions, such as IP address prevalence checks, bucket enumeration, and persistence mechanism by the attacker IP. Based on the enrichment and investigation results, the playbook performs remediation actions.

New

Cortex XDR Cloud Key Rotation Playbook

An important aspect of every cloud playbook is handling compromised credentials. This playbook is one of the main building blocks for cloud investigation and response playbooks. It quickly and efficiently responds to rotate compromised credentials based on their type, performing actions, such as resetting passwords and changing credential profiles.

New

Cortex XDR Identity Threat Detection and Remediation (ITDR)

New ITDR enhancements enable organizations to more effectively detect and manage risky users and hosts. Cortex XDR playbooks can now identify identity threats and empower analysts to make informed decisions based on calculated risk for assets in their network.

New