Read Cortex XDR - New Features June 2019 to learn about all the new features for Cortex XDR – Investigation and Response with the June '19 release 1.4. Check out all the new features and how they can help improve your security posture. Don't forget to submit your questions here to engage. Got Questions? Get Answers here on LIVEcommunity.
At Palo Alto Networks, we are always improving upon our products and technologies, and Cortex XDR – Investigation and Response has been improved with the following features for Cortex XDR release 1.4.
Please see the following table describing the latest features for June 2019 *:
Incident Dashboard Enhancement
TheIncident Dashboardnow provides a streamlined navigation that enables you to access the incident details from the summary page with a single click.
You can also change the display of your dashboard to use a dark color theme which is optimized for a large monitoring display.
Incident Management Enhancements
To enable you to quickly prioritize andmanage incidents, several improvements to incidents include:
Ability to select multiple incidents from the incidents table and take action on them at once, for example, assign all selected incidents to an analyst or change the severity or status of multiple incidents.
Ability to move alerts between incidents and to manually create incidents from alerts in existing incidents.
To help surface higher severity alerts, low severity and informational alerts are now available on a newInsightstab. As you investigate an incident, you can review the higher severity alerts from theAlertstab and then review any insights, as needed, for additional context on the incident. Only medium and high severity alerts raise incidents (insights do not raise incidents).
Enhanced Threat Intelligence
You can now cross-verify the verdict for key artifacts with other threat intelligence services such as AutoFocus and VirusTotal. To enable the Cortex XDR – Investigation and Response app to display the verdict for these sources, you must add the API Key for the service on the configuration page. The app displays known verdicts in the details view of aKey Artifact. You can also pivot to the threat intelligence service for additional information about the artifact.
Cortex XDR – Investigation and Response now aggregates duplicate firewall alerts together in asingle alertto reduce duplicate alerts in the web interface. Firewall alerts are consolidated together when multiple alerts have identical names, occurred on the same endpoint, and were generated within a 24-hour period. The consolidated alert has a+ntag that displays the total number of alerts that are included.
Integration with Demisto
You can now useDemisto™to manage incidents from Cortex XDR – Investigation and Response. After you set up the API to query Cortex XDR – Investigation and Response, Demisto can receive incidents, request additional data about incidents, and make changes such as to set the status and change the severity or assign an owner. Changes occur bidirectionally, so a change from one app is reflected in the other.
All Windows endpoints with Traps 6.1 and later releases can now host a remoteLive Terminalto access the endpoint from the Cortex XDR – Investigation and Response app interface. All Live Terminal session actions are recorded in audit logs. The Live Terminal was previously called the Remote Terminal.
Traps Support for Mac and Linux
You can now view and investigate Traps alerts and events forMac and Linux endpoints. This enables you to leverage the Timeline and Causality views during your alert investigation, which can help provide a complete picture of the event sequence over time. This also enables IOC and BIOC rule creation for Mac and Linux endpoints. Traps 6.1 or later is required for Mac and Linux endpoints.
Forwarding Cortex XDR – Investigation and Response Logs
You can now forward Cortex XDR – Investigation alerts to an external Syslog receiver or email using theLog Forwarding App. To further refine the alert logs the app forwards, you can filter alert logs by alert severity and type and also use custom filters.
Previously, a log forwarding profile configured to forward Cortex XDR – Analytics alerts also forwarded Cortex XDR – Investigation and Response alerts by default. Now, you must set up a new log forwarding profile to continue to forward Cortex XDR – Investigation and Response logs. With the new profile, you’ll have the flexibility to refine the alerts you forward.
Query Windows Event Logs
You can now query Windows event logs coming from endpoints with Traps 6.1 and later releases as a part of your investigation. You can nowcreate and schedule queriesto search for events by the Windows event log provider, event message, associated username, or search for events on specific endpoints.
* - All information is from the Cortex XDR release notes: