Features Introduced in 2019

Introducing new features in the Cortex XDR – Investigation and Response by month during 2019.
The following topics describe the new features introduced in the Cortex XDR – Investigation and Response in 2019 by month.

Features Introduced in May

The following table describes the features released in May 2019.
Feature
Release
Description
Incident Dashboard1.3Cortex XDR – Investigation and Response now provides an overview summary of incidents in your environment, you can now view incidents prioritized by severity, assignee, incident age, and affected hosts from a new dashboard. This enables you to view the security status of your environment over time and drill down into incidents and alerts for additional details.
Role-Based Access Control1.3In addition to the Cortex hub administrator roles that you can use to manage access for your apps, you can now assign more granular user roles for Cortex XDR – Investigation and Response from the Cortex hub. The new roles enable you to restrict access to specific functions such as threat response capabilities to enforce the separation of information and access for different users in your organization. You can assign the following Cortex XDR – Investigation and Response roles:
  • Investigation—Provides full access to the Alerts, Incidents, and Investigation tabs.
  • Investigation and Rules View—Provides full access to the Alerts, Incidents, and Investigation tabs, with read-only access to BIOC and IOC rules.
  • Investigation and Response—Provides full access to the Alerts, Incidents, Investigation, and Response tabs.
  • Investigation Rules View and Response—Provides full access to the Alerts, Incidents, Investigation, and Response tabs, and read-only access to Rules.
  • Investigation Rules and Response—Provides full access to all features except the app configuration pages and audit logs.
IOC Rule Exceptions1.3In addition to BIOC exceptions, you can now create exceptions to IOC rules to prevent Cortex XDR – Investigation and Response from raising alerts when an IOC is used in a legitimate way.
Alert Exclusions1.3If you determine certain alerts to be benign, and you want to suppress all similar alerts in the app, you can now define an alert exclusion policy. Cortex XDR – Investigation and Response then hides any new alerts that match the policy. If you set an exclusion to apply to existing alerts, the app displays the previously generated alerts as grayed-out in the incident and alert tables.

Features Introduced in April

The following table describes the features released in April 2019.
Feature
Release
Description
Incident Management1.2The Cortex XDR – Investigation and Response app now consolidates alerts related to a detected threat into a single incident. You can view all incidents in your network from the Incidents page. Because an attack can affect several hosts or users and raise several different alert types stemming from a single event, having each incident retain all the context of related alerts and enable you to view the entire scope of the threat. Each incident automatically groups all relevant assets, suspicious artifacts, alerts, and WildFire malware reports related to the threat. To help manage incidents as you investigate, you can change the status and add additional details in notes and comment threads. You can also assign other analysts to investigate, take remedial action, and document the incident resolution from an incident.
Firewall Threat Log Integration1.2The Cortex XDR – Investigation and Response app now supports threat logs for URL Filtering, Spyware, Vulnerability, Scan, and WildFire Analysis subtypes from Palo Alto Networks firewalls. The app stitches these alerts together with other sources to provide more context in your investigations.
Palo Alto Networks-Delivered BIOC Rules1.1Palo Alto Networks can now deliver the latest threat research as global BIOC rules to all Cortex XDR – Investigation and Response instances. As Palo Alto Networks security experts identify new threats, they can create new BIOC rules that alert on specific malicious behavioral indicators. The app periodically checks for the latest BIOCs and automatically applies them to your historical data to surface any new alerts. This reduces the overall setup and maintenance of BIOC rules and enables you to immediately identify threats. In addition, you can add exceptions to or disable global BIOC rules if needed.
Remote Terminal1.1You can now establish a remote connection through Cortex XDR – Investigation and Response directly to a monitored endpoint in your network. The new Remote Terminal emulates a local graphic user interface and is available with the use of a Pathfinder VM. In addition, the Remote Terminal provides a Windows command line and a Python command shell from which you can run commands and scripts. After connecting to the endpoint, you can navigate the local file directory; manage files, folders, and processes; and perform remediation actions. At the end of your session you can also save out a session report which can include any actions performed and any files you flagged for follow-up.
Save and Share Filters1.1Cortex XDR – Investigation and Response now enables you to save, modify, and share filters across your organization.
Audit Logs1.1You can now view all administrative activity in Cortex XDR – Investigation and Response from the new Auditing page. Examples of activity logged in the app include BIOC and IOC policy management, response actions initiated, and remote session commands with the command response. You can also filter the activity and export the results to a tab-separated values (TSV) file.
Role Management from Cortex Hub1.1To enable you to manage roles for all Cortex apps in a single location, you now manage roles from the Cortex hub. Any existing users who were assigned roles in the Customer Support Portal are automatically migrated to Cortex hub: Users that were previously assigned the Super User role are now assigned the Account Administrator role in Cortex hub. Users that were previously assigned Standard and XDR roles are now assigned the App Administrator role for the Cortex XDR – Investigation and Response app which allows users to manage all app instances. We recommend that you review the Cortex Hub Getting Started Guide and the roles assigned to your users following this migration of roles to Cortex hub to determine if any changes are required.

Related Documentation