Cortex XDR August Release: Integrating Analytics with Investigation and Response
The Cortex XDR August release unifies the Analytics and Investigation and Response apps into a single Cortex XDR app, with a unified and streamlined user interface.
This means that the Cortex XDR – Analytics user interface has been retired and all functionality moved to the new unified UI – see details below.
What's New – Highlights
Single Cortex XDR App With a Single UI
As of the August release, a single app icon for Cortex XDR appears in the hub: The "Cortex XDR – Investigation and Response" app is renamed "Cortex XDR."
The "Cortex XDR - Analytics" app icon will no longer appear in the hub.
Trying to access saved links (e.g. bookmarks) leading directly to Cortex XDR - Analytics pages will redirect you to a page explaining the two apps merged, with a link to the new unified Cortex XDR UI.
Please update your bookmarks!
The two Cortex XDR tenants (Investigation & Response and Analytics) will continue to appear as two separate line items in the hub’s status page.
Palo Alto Networks Hub Status Page
Cortex XDR - Analytics Alerts in the Unified Cortex XDR UI
Cortex XDR - Analytics alerts are those with an alert source of "Analytics" or "Analytics BIOC."
All Cortex XDR - Analytics alerts are displayed in the Cortex XDR UI alert page, grouped into incidents and can be investigated by right-clicking and choosing "Analyze."
This means that Analytics BIOC alerts are shown on causality cards side by side with IOCs, BIOCs, Traps security events and next-generation firewall threat logs.
Analytics alerts are also grouped into incidents; through their aggregate nature, this aids analysts in their investigations by providing broader context.
You can now easily filter and sort through the data in the forensic tables for Cortex XDR - Analytics alerts and endpoints.
A Network-Based Analytics Alert From an Unmanaged Source
Processes Associated with Cortex XDR - Analytics Alerts
In the unified UI, you can see the data for all processes associated with all new Analytics alerts. There may be more than one process, or process instance, associated with these alerts, given their aggregate nature. This means you can now reach the causality cards for all of these processes.
How? Simply right-click the process(es) icon, choose "View Process Instances," and then right-click on the chosen process instance and choose "Analyze," which will open its causality card.
This drilldown enables in-depth investigation, which is now also streamlined and easy, even for aggregate Analytics alerts, whose duration may span hours or even days!
Drill Down to Process Causality Chains From Analytics Alerts Triggered on Managed Endpoints
View Endpoint and User Data on the Graph
Viewing endpoint data (previously known as “host view”) is now possible by clicking on any endpoint which has a circle around its icon (indicating it is an internal endpoint that we have information about, and not an external host).
This keeps the graph in focus, allowing you to look at the data Cortex XDR – Analytics has on all the endpoints involved in the alert.
The same holds true for user data, which is displayed if you click the username in an Analytics alert graph.
Cortex XDR - Analytics alerts (source type "Analytics" and "Analytics BIOC") can now be whitelisted using exclusion policies, instead of the retired Cortex XDR - Analytics whitelisting mechanism.
Note that rules based on MAC addresses were not migrated.
Upon upgrading to the August Cortex XDR version, existing whitelist rules were automatically migrated to exclusion policies.
It is advised to review the resulting exclusion policies from this automated migration, as the two mechanisms are not identical.
Exclusion policies have several benefits over the previous whitelisting mechanism:
You can proactively exclude alerts.
You can exclude several different alert types using a single rule!
There is more flexibility in defining the exclusion rules, without any limitations on which field types can be referenced
Remember - with great power comes great responsibility: You may end up completely excluding a certain alert type if you use fields and values which are always true for all triggered alerts of this type.