New Cortex XDR 2.6 Features and Overview Videos

Community Team Member

Cortex XDR 2.6 features and video.png

Hello everyone.

 

Here are the latest features for the November release of Cortex XDR 2.6, including new Overview Videos.

 

Features Introduced in the November release include everything from a new region for Canada, GCP (Google Cloud Platform) improvements, API improvements and many, many more. You just have to see the list below for all the details.
 
Overview videos will be listed below the new features.
 

The following table describes new features in the Cortex XDR 2.6 release.*
FEATURE
DESCRIPTION
General
New Canada Region
You can now deploy Cortex XDR in the new Canada region. For deployment considerations, see Plan Your Cortex XDR Deployment.
Copyable Row Values
To continue investigation outside of Cortex XDR, you can now copy the contents of one or more rows to the clipboard. The new option is available from the pivot menu for the selected rows.
Investigation and Response
XQL Query Language for Cortex XDR
(Requires a Cortex XDR Pro license)
To improve your threat research and incident investigation capabilities, you can now use XQL queries to search for and view raw data that is stored in Cortex XDR. Supported data sets include Cortex XDR agent logs, network and authentication stories including third-party data, and logs ingested into Cortex XDR from third parties. XQL offers a wide range of features such as query filters, aggregations, and joins and unions across data sets. You submit XQL queries to Cortex XDR from the new Cortex XQL query which supersedes the Native Search.
Data Visualization for XQL Queries
(Requires a Cortex XDR Pro license)
To help you visualize the raw XQL query results, you can view your results in charts or graphs. For long term monitoring of results, you can also now add custom widgets to Cortex XDR dashboards and reports. To set up a custom widget, you supply the XQL query and the visualization type (donut chart, bar chart, or graph). XQL query-based widgets enable you to continuously monitor available logs and data for the information that matters most to your organization.
Search and Destroy Queries
(Requires a Cortex XDR Pro per Endpoint license)
To search for malicious files, you can now search using either the new XQL query or the Native Search. Each search method uses different syntax that is specific to the method.
BIOC Creation from XQL Queries
(Requires a Cortex XDR Pro license)
After you run an XQL query, you can now easily configure BIOCs that match your query parameters. BIOC rule creation is available only if the XQL query can convert to a valid BIOC if run on data as is and meaning it is not available for alters, functions, comp, field selection, datasets other than the EDR datasets or presets.
Separate Tab Options for Investigation
When you analyze an alert, you can now choose to open the Causality and Timeline Views in the same tab. Both the existing option for opening the view in a separate tab and the new option are available from the right-click pivot menus of alerts from the Incidents page, Alerts tables, and results for queries.
Incident Enhancements
To improve the incident investigation experience, the following enhancements are now available:
 
  • Consistent alert counting between the incident table and the incident view
 
  • Correlation of a macro hash as the key artifact hash
 
Full Causality Chain Termination
(Requires a Cortex XDR Pro per Endpoint license)
To enhance your remediation capabilities, you can now Terminate Causality when reviewing Remediation Suggestions from the Causality Card or Incident View. This enables you to terminate the entire causality chain of processes that executed under the process tree of the Causality Group Owner (CGO) process name.
UI Position Change for Native Search
In the Cortex XDR management console, the Native Search that was previously available at the top and center of the Query Builder is now available on the top right of the Query Builder.
Full Hash Visibility for Processes
When you hover over the process node in the Causality View, the Process Information pop-up now displays the full SHA256 hash.
Session PCAP Downloads for NGFW Alerts
(Requires a Cortex XDR Pro per TB license)
When a session PCAP is available for NGFW alerts raised on Palo Alto Networks firewall traffic, you can now download the PCAP containing the first 100 bytes of the triggering packet directly from Cortex XDR. To access the PCAP, you can download the file from the Alerts table or Incident.
Log and Alert Ingestion and Forwarding
Impacted User and Host Visibility in Notifications
When you configure notifications for alerts in Cortex XDR, the notification now includes the Username and Hostname of the impacted user in the Slack notification details, and Username for Email notifications.
When known, Cortex XDR displays the username and hostname in any Slack or Email notifications that you set up.
Google Cloud Platform (GCP) Log Ingestion
(Requires a Cortex XDR Pro per TB license)
Cortex XDR can now ingest raw logs from GCP. To receive logs from GCP, you configure SaaS Log Collection for GCP in Cortex XDR, and enable log forward in your GCP account. Cortex XDR can then provide visibility into your data using the XQL query combining results with any other data you have ingested into Cortex XDR.
Extended Log Ingestion for Syslog in CEF Format
(Requires a Cortex XDR Pro per TB license)
Cortex XDR extends log ingestion support from specific vendors to sources sending CEF over Syslog (TLS not supported). For simplified Syslog collector configuration, you can configure the protocol, IP address and port, and format settings from the broker applet management console. After Cortex XDR begins receiving logs from the third-party source, you can use the XQL query to view data and use it to create new BIOC rules.
Endpoint Prevention and Security
Cortex XDR Pro per Endpoint License Enforcement
Cortex XDR now enforces the number of Pro agents permitted by the license policy. Cortex XDR calculates the number of Pro agents permitted and will only apply Pro capabilities the number of agents associated with the license. Any agent that exceeds the number to which the policy applies will not have these capabilities.
To provide additional customization of your Cortex XDR Pro per Endpoint license capabilities, the agent settings policy also now includes configurable options for Pro capabilities, such as remediation suggestions. With an additional Host Insights Add-On license, the agent settings policy also now includes data collection for Vulnerability Assessment, Host Inventory, and Search and Destroy.
As soon as you reach the maximum allotted number of Pro agents, Cortex XDR displays a notification in the notification center. You can also track the status of the policy on a per-agent basis where Cortex XDR identifies whether an agent has Pro capabilities enabled from Endpoint Administration. If additional Pro agents are required, increase your Cortex XDR Pro per Endpoint license capacity.
Endpoint Visibility for Endpoint Groups
(Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license)
To enable you to easily manage all endpoints in an endpoint group, you can now pivot from an endpoint group to a filtered list of endpoints on the Endpoint Administration page. From the filtered view, you can quickly view and initiate actions on the endpoints within the group.
Endpoint Location Visibility
(Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license)
Cortex XDR now provides visibility into the last known location of the endpoint. The new Endpoint Location field on the Endpoint Administration page indicates whether the endpoint is internal or external as determined by the Cortex XDR agent. On Windows endpoints, endpoint location visibility is supported with Cortex XDR agent 7.1 and later versions. On Mac and Linux endpoints, endpoint location visibility is supported with Cortex XDR agent 7.2 and later. If the endpoint has an earlier version of the Cortex XDR agent, Cortex XDR displays the Endpoint Location field as Not Supported. If the agent is unable to determine the endpoint location, the field displays a Disabled status.
Widgets by Endpoint Groups
(Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license)
To provide visibility into the status of specific groups of endpoints, you can now assign Endpoint Groups to widgets that you add to your dashboards and report templates. By default, endpoint-related widgets apply to all endpoints. To reduce the scope of a widget, add it to your Dashboard or Report Template and then use the Data Scope field to select one or more endpoint groups.
FQDN in Proxy Configuration
(Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent version 7.2.1 or later)
When configuring proxy communication between Cortex XDR and your Cortex agents, you can now supply the FQDN of a proxy server instead of the IP address. The FQDN format is supported on Cortex XDR agent 7.2.1 and later versions. If you configure an FQDN for earlier agent versions, the Cortex XDR agent reverts back to the original proxy settings.
Cortex XDR Host Insights Add-On Module
Host Insights Menu Restructure
(Requires a Cortex XDR Pro per Endpoint license and Host Insights Add-on)
To streamline investigation in the Host Insights module, information about the host is now organized under the following menu items:
 
  • Host Inventory
 
  • Vulnerability Management
 
Host Inventory for macOS and Linux
(Requires a Cortex XDR Pro per Endpoint license and Host Insights Add-on)
To enhance your investigation capabilities, Cortex XDR now provides extensive Host Inventory data for macOS and Linux, such as users, groups, daemons, and more.
Bundle ID for macOS
(Requires a Cortex XDR Pro per Endpoint license and Host Insights Add-on)
To enhance your host information when using the Host Insights module, Bundle ID for macOS is now available on the Vulnerability Management page.
Broker VM (Version 10.0.18)
Broker VM Support for GCP
You can now deploy the broker VM in Google Cloud Platform (GCP). To set up the broker VM in GCP, you download the VMDK image from Cortex XDR and use it to set up the image and instance for the VM in Compute Engine.
CyberArk Authentication for Pathfinder
When you configure the Pathfinder applet, you can now use Cyberark AAM integration as an alternative to providing the domain credentials. To allow Cortex XDR to retrieve the user the credentials stored within the Cyberark AAM, you supply the web address, port, App-ID, certificate, and query string.
Multi-Tenants and MSSPs
Cross-Tenant Scheduled Queries
You can now schedule queries to run across multiple tenants. For each query, Cortex XDR can return up to 100,000 results across all selected tenants.
Increased Capacity for Query Results Across Tenants
You can now run queries across an unlimited number of tenants. In addition, Cortex XDR can now return up to 100,000 results across your tenants.
Hash Exclusion Visibility and Management
When you investigate a file by hash, Cortex XDR now provides visibility into any allow or block lists to which the hash belongs. If you attempt to add a hash that already belongs to a list, Cortex XDR now shows you in which lists this hash exist. The new hash visibility and management options are available across the Action Center, Hash View, and Quick Launcher.
API
User Validation for Cortex XDR APIs
To ensure that changes to Cortex XDR incidents are made by authorized users, Cortex XDR validates the user specified in the assigned_user_mail field when calling the Update an Incident API.
Enhanced Visibility of Incident Data
To help you gain greater visibility of requested API data when calling Get Incidents and Get Extra Incident Data APIs, the response section now includes the incident_name field if one is assigned to an incident ID.

* - All new features have been taken from the Cortex XDR Release Notes page

 

Overview Videos

Cortex CDR Walkthrough videos pageCortex CDR Walkthrough videos page

VIDEOS! - I know that videos can help show more than a simple screenshot... 

 

A total of 8 Videos have been added to the Cortex XDR Walkthrough videos page, please be sure to check out that page as those videos are super informative.

 

More Info

For all of the details from the release notes for Cortex XDR November release, please see the Cortex XDR Release Notes page

For all of the resources that we have on the LIVEcommunity for Cortex XDR, please see the LIVEcommunity Cortex XDR page

Plus, here are more materials you may find helpful: 

 

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog area.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

452 Views
Labels