Features Introduced in 2019
The following topics describe the Cortex XDR features introduced in 2019 by month.
Features Introduced in October
The following table describes the features released in October 2019.
External Alert Investigation in Cortex XDR
To provide you with a more complete and detailed picture of the activity involved in an incident, you can now investigate alerts from external sources in Cortex XDR. Setting up Cortex XDR to receive alerts from an external source is easy. You simply set up a syslog collector and configure your alert source to forward alerts (in CEF format) to the syslog collector. You can also ingest alerts from external sources using the Cortex XDR API. If you use Cortex XDR Analytics for Check Point firewall logs, Cortex XDR automatically maps fields for Check Point firewall alerts. However for other external alert sources, you must map required fields to the Cortex XDR format. Cortex XDR can then stitch the alerts it receives from any external source with relevant log data such as endpoint and user data. These alerts are available in your incidents, alerts tables, and Causality view.
Cortex XDR Analytics for Check Point Firewall Logs
For network deployments consisting of Check Point firewalls or a mix of Check Point and Palo Alto Networks firewalls, you can now forward your Check Point firewall logs to Cortex XDR for analysis. This enables you to take advantage of Cortex XDR anomalous behavior detection and investigation capabilities if you use Check Point firewalls in your network. Similar to setting up Cortex XDR to ingest alerts from external sources, you set up a syslog collector and configure the firewall to forward logs to the syslog collector. However unlike external alerts, no additional mapping of fields is required to begin analyzing Check Point firewall logs and detecting threats in your network. As soon as Cortex XDR begins receiving logs from Check Point firewalls, the analytics engine applies detectors to raise Analytics alerts on anomalous activity.
Features Introduced in September
The following table describes the features released in September 2019.
To help you focus on the incidents that matter most, you can now create a incident starring policy that categorizes and stars incidents that contain alerts matching the attributes that you decide are important. After you define a policy, Cortex XDR adds a star indicator to any incidents that contain alerts that match the policy. You can then sort or filter the Incidents table for starred incidents. On the Incidents Dashboard, you can also choose whether to display all incidents or only starred incidents.
In addition, you can also take advantage of the new starred incident policy in Cortex XDR APIs: The get_incidents API now includes a new starred field to indicate whether an incident contains alerts that match your incident starring policy.
Features Introduced in August
The following table describes the features released in August 2019.
Unified Cortex XDR Interface
The Cortex XDR – Investigation and Response and Cortex XDR – Analytics apps have been consolidated into one Cortex XDR app. The new app is available from the hub under the Cortex XDR tile. To access Cortex XDR – Analytics features in the new app, you must be assigned an administrative role for the Cortex XDR – Analytics.
Analytics Alert Analysis
You can now analyze Analytics and Analytics BIOC alerts in Cortex XDR. Each alert type provides a tailored analytics view to help you understand the context of the alert. This view provides an alert summary, a graphical representation of the activity that you can interact with, and any related events. From the analytics view, you can also take additional actions to respond to the alert such as initiating a live terminal or adding a malicious domain or IP address to an external dynamic list (EDL).
Cortex XDR can now identify related App-IDs for an alert. App-ID is a traffic classification system that determines what an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. When known, you can also pivot to the Palo Alto Networks Applipedia entry that describes the detected application. To add the App ID column, use the column manager on the Alerts table.
URL Category Integration
Cortex XDR now integrates URL filtering categories associated with URL filtering logs in the Alerts table. When known, Cortex XDR displays the URL Filtering type.
Threat Intelligence License Truncation
Cortex XDR now truncates part of the license key on the Threat Intelligence page when you integrate additional threat intelligence sources such as AutoFocus and VirusTotal. Truncating part of the license key enables you to take screen captures or videos of the page, such as for demo purposes, without sharing your license key.
Alerts Tab Change
To streamline investigations, the Alerts page is now removed from the main Cortex XDR menu. Now, you can only access the Alerts table from the Incidents table or from within the investigation of an incident.