Features Introduced in 2019
Introducing new features in the Cortex XDR – Investigation and Response by month during 2019.
The following topics describe the new features introduced in the Cortex XDR – Investigation and Response in 2019 by month.
Features Introduced in May
The following table describes the features released in May 2019.
|Incident Dashboard||1.3||Cortex XDR – Investigation and Response now provides an overview summary of incidents in your environment, you can now view incidents prioritized by severity, assignee, incident age, and affected hosts from a new dashboard. This enables you to view the security status of your environment over time and drill down into incidents and alerts for additional details.|
|Role-Based Access Control||1.3||In addition to the Cortex hub administrator roles that
you can use to manage access for your apps, you can now assign more
granular user roles for Cortex
XDR – Investigation and Response from the Cortex hub. The new roles
enable you to restrict access to specific functions such as threat
response capabilities to enforce the separation of information and access
for different users in your organization. You can assign the following
Cortex XDR – Investigation and Response roles:|
|IOC Rule Exceptions||1.3||In addition to BIOC exceptions, you can now create exceptions to IOC rules to prevent Cortex XDR – Investigation and Response from raising alerts when an IOC is used in a legitimate way.|
|Alert Exclusions||1.3||If you determine certain alerts to be benign, and you want to suppress all similar alerts in the app, you can now define an alert exclusion policy. Cortex XDR – Investigation and Response then hides any new alerts that match the policy. If you set an exclusion to apply to existing alerts, the app displays the previously generated alerts as grayed-out in the incident and alert tables.|
Features Introduced in April
The following table describes the features released in April 2019.
|Incident Management||1.2||The Cortex XDR – Investigation and Response app now consolidates alerts related to a detected threat into a single incident. You can view all incidents in your network from the Incidents page. Because an attack can affect several hosts or users and raise several different alert types stemming from a single event, having each incident retain all the context of related alerts and enable you to view the entire scope of the threat. Each incident automatically groups all relevant assets, suspicious artifacts, alerts, and WildFire malware reports related to the threat. To help manage incidents as you investigate, you can change the status and add additional details in notes and comment threads. You can also assign other analysts to investigate, take remedial action, and document the incident resolution from an incident.|
|Firewall Threat Log Integration||1.2||The Cortex XDR – Investigation and Response app now supports threat logs for URL Filtering, Spyware, Vulnerability, Scan, and WildFire Analysis subtypes from Palo Alto Networks firewalls. The app stitches these alerts together with other sources to provide more context in your investigations.|
|Palo Alto Networks-Delivered BIOC Rules||1.1||Palo Alto Networks can now deliver the latest threat research as global BIOC rules to all Cortex XDR – Investigation and Response instances. As Palo Alto Networks security experts identify new threats, they can create new BIOC rules that alert on specific malicious behavioral indicators. The app periodically checks for the latest BIOCs and automatically applies them to your historical data to surface any new alerts. This reduces the overall setup and maintenance of BIOC rules and enables you to immediately identify threats. In addition, you can add exceptions to or disable global BIOC rules if needed.|
|Remote Terminal||1.1||You can now establish a remote connection through Cortex XDR – Investigation and Response directly to a monitored endpoint in your network. The new Remote Terminal emulates a local graphic user interface and is available with the use of a Pathfinder VM. In addition, the Remote Terminal provides a Windows command line and a Python command shell from which you can run commands and scripts. After connecting to the endpoint, you can navigate the local file directory; manage files, folders, and processes; and perform remediation actions. At the end of your session you can also save out a session report which can include any actions performed and any files you flagged for follow-up.|
|Save and Share Filters||1.1||Cortex XDR – Investigation and Response now enables you to save, modify, and share filters across your organization.|
|Audit Logs||1.1||You can now view all administrative activity in Cortex XDR – Investigation and Response from the new Auditing page. Examples of activity logged in the app include BIOC and IOC policy management, response actions initiated, and remote session commands with the command response. You can also filter the activity and export the results to a tab-separated values (TSV) file.|
|Role Management from Cortex Hub||1.1||To enable you to manage roles for all Cortex apps in a single location, you now manage roles from the Cortex hub. Any existing users who were assigned roles in the Customer Support Portal are automatically migrated to Cortex hub: Users that were previously assigned the Super User role are now assigned the Account Administrator role in Cortex hub. Users that were previously assigned Standard and XDR roles are now assigned the App Administrator role for the Cortex XDR – Investigation and Response app which allows users to manage all app instances. We recommend that you review the Cortex Hub Getting Started Guide and the roles assigned to your users following this migration of roles to Cortex hub to determine if any changes are required.|
Analyze Incidents and Alerts Alert Sources Cortex XDR – Investigation and Response Incidents Cortex XDR – Investigation and Response Alerts Triage Alerts Remote Terminal ...
Features Introduced in Cortex XDR™ – Investigation and Response
Introducing new features in Cortex XDR – Investigation and Response by month and year. ...
Cortex XDR™ – Investigation and Response Known Issues
Known issues with the Cortex XDR – Investigation and Response app. ...
Use the Cortex XDR – Investigation and Response Interface
Use the Cortex XDR – Investigation and Response Interface Before you can get started with Cortex XDR, you must Set Up Cortex XDR Apps and Related ...
Manage Administrative Access
Manage Administrative Access Administrative Roles Cortex XDR – Investigation and Response administrative roles. Assign Roles to Cortex XDR – Investigation and Response Users ...
Manage Cortex XDR – Investigation and Response Rules
Manage Cortex XDR – Investigation and Response Rules Cortex XDR – Investigation and Response Rules Working with BIOCs Working with IOCs Manage Existing Rules ...
Investigate Incidents An attack event can affect several users or hosts and raise different types of alerts caused by a single event. You can track ...