Features Introduced in 2019
The following topics describe the Cortex XDR features introduced in 2019 by month.
Features Introduced in September
The following table describes the features released in September 2019.
To help you focus on the incidents that matter most, you can now create a incident starring policy that categorizes and stars incidents that contain alerts matching the attributes that you decide are important. After you define a policy, Cortex XDR adds a star indicator to any incidents that contain alerts that match the policy. You can then sort or filter the Incidents table for starred incidents. On the Incidents Dashboard, you can also choose whether to display all incidents or only starred incidents.
In addition, you can also take advantage of the new starred incident policy in Cortex XDR APIs: The get_incidents API now includes a new starred field to indicate whether an incident contains alerts that match your incident starring policy.
Features Introduced in August
The following table describes the features released in August 2019.
Unified Cortex XDR Interface
The Cortex XDR – Investigation and Response and Cortex XDR – Analytics apps have been consolidated into one Cortex XDR app. The new app is available from the hub under the Cortex XDR tile. To access Cortex XDR – Analytics features in the new app, you must be assigned an administrative role for the Cortex XDR – Analytics.
Analytics Alert Analysis
You can now analyze Analytics and Analytics BIOC alerts in Cortex XDR. Each alert type provides a tailored analytics view to help you understand the context of the alert. This view provides an alert summary, a graphical representation of the activity that you can interact with, and any related events. From the analytics view, you can also take additional actions to respond to the alert such as initiating a live terminal or adding a malicious domain or IP address to an external dynamic list (EDL).
Cortex XDR can now identify related App-IDs for an alert. App-ID is a traffic classification system that determines what an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. When known, you can also pivot to the Palo Alto Networks Applipedia entry that describes the detected application. To add the App ID column, use the column manager on the Alerts table.
URL Category Integration
Cortex XDR now integrates URL filtering categories associated with URL filtering logs in the Alerts table. When known, Cortex XDR displays the URL Filtering type.
Threat Intelligence License Truncation
Cortex XDR now truncates part of the license key on the Threat Intelligence page when you integrate additional threat intelligence sources such as AutoFocus and VirusTotal. Truncating part of the license key enables you to take screen captures or videos of the page, such as for demo purposes, without sharing your license key.
Alerts Tab Change
To streamline investigations, the Alerts page is now removed from the main Cortex XDR menu. Now, you can only access the Alerts table from the Incidents table or from within the investigation of an incident.