Cortex XDR - New Features June 2019

Community Team Member

Read Cortex XDR - New Features June 2019 to learn about all the new features for Cortex XDR – Investigation and Response with the June '19 release 1.4. Check out all the new features and how they can help improve your security posture. Don't forget to submit your questions here to engage. Got Questions? Get Answers here on LIVEcommunity.

CortexXDR-June-19-features.jpg

At Palo Alto Networks, we are always improving upon our products and technologies, and Cortex XDR – Investigation and Response has been improved with the following features for Cortex XDR release 1.4.

 

Please see the following table describing the latest features for June 2019 *:

FEATURE RELEASE DESCRIPTION
Incident Dashboard Enhancement 1.4
The Incident Dashboard now provides a streamlined navigation that enables you to access the incident details from the summary page with a single click.
You can also change the display of your dashboard to use a dark color theme which is optimized for a large monitoring display.
Dashboard in dark monitor theme
Incident Management Enhancements 1.4 To enable you to quickly prioritize and manage incidents, several improvements to incidents include:
  • Ability to select multiple incidents from the incidents table and take action on them at once, for example, assign all selected incidents to an analyst or change the severity or status of multiple incidents.
  • Ability to move alerts between incidents and to manually create incidents from alerts in existing incidents.
  • To help surface higher severity alerts, low severity and informational alerts are now available on a new Insights tab. As you investigate an incident, you can review the higher severity alerts from the Alerts tab and then review any insights, as needed, for additional context on the incident. Only medium and high severity alerts raise incidents (insights do not raise incidents).
Enhanced Threat Intelligence 1.4 You can now cross-verify the verdict for key artifacts with other threat intelligence services such as AutoFocus and VirusTotal. To enable the Cortex XDR – Investigation and Response app to display the verdict for these sources, you must add the API Key for the service on the configuration page. The app displays known verdicts in the details view of a Key Artifact. You can also pivot to the threat intelligence service for additional information about the artifact.
Alert Deduplication 1.4
Cortex XDR – Investigation and Response now aggregates duplicate firewall alerts together in a single alert to reduce duplicate alerts in the web interface. Firewall alerts are consolidated together when multiple alerts have identical names, occurred on the same endpoint, and were generated within a 24-hour period. The consolidated alert has a +n tag that displays the total number of alerts that are included.
Integration with Demisto 1.4 You can now use Demisto™ to manage incidents from Cortex XDR – Investigation and Response. After you set up the API to query Cortex XDR – Investigation and Response, Demisto can receive incidents, request additional data about incidents, and make changes such as to set the status and change the severity or assign an owner. Changes occur bidirectionally, so a change from one app is reflected in the other.
Cortex XDR API for Incident Management 1.4 You can now create, update, and manage incidents using the ticket management service of your choice through the Cortex XDR – Investigation and Response API.
Live Terminal through Traps 1.4 All Windows endpoints with Traps 6.1 and later releases can now host a remote Live Terminal to access the endpoint from the Cortex XDR – Investigation and Response app interface. All Live Terminal session actions are recorded in audit logs. The Live Terminal was previously called the Remote Terminal.
Traps Support for Mac and Linux 1.4 You can now view and investigate Traps alerts and events for Mac and Linux endpoints. This enables you to leverage the Timeline and Causality views during your alert investigation, which can help provide a complete picture of the event sequence over time. This also enables IOC and BIOC rule creation for Mac and Linux endpoints. Traps 6.1 or later is required for Mac and Linux endpoints.
Forwarding Cortex XDR – Investigation and Response Logs 1.4 You can now forward Cortex XDR – Investigation alerts to an external Syslog receiver or email using the Log Forwarding App. To further refine the alert logs the app forwards, you can filter alert logs by alert severity and type and also use custom filters.
Previously, a log forwarding profile configured to forward Cortex XDR – Analytics alerts also forwarded Cortex XDR – Investigation and Response alerts by default. Now, you must set up a new log forwarding profile to continue to forward Cortex XDR – Investigation and Response logs. With the new profile, you’ll have the flexibility to refine the alerts you forward.
Query Windows Event Logs 1.4 You can now query Windows event logs coming from endpoints with Traps 6.1 and later releases as a part of your investigation. You can now create and schedule queries to search for events by the Windows event log provider, event message, associated username, or search for events on specific endpoints.
 
* - All information is from the Cortex XDR release notes:

Cortex XDR - Release Notes - New Features - June 2019

 

More Info

For even more information on Cortex XDR, please see the entire release notes in Palo Alto Networks TechDocs:

Cortex XDR Investigation and Response Release Notes

 

Thanks for taking time to read my blog. If you enjoyed this, please hit the Like (thumbs up) button, and don't forget to subscribe to the LIVEcommunity Blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

745 Views
Ask Questions Get Answers Join the Live Community
Labels