Threat hunting and response across data sources just got a little easier. Cortex XDR application and agent releases in March and April introduce an amazing array of new features to help your security team identify threats in network traffic, orchestrate response at scale and reduce the attack surface of their endpoints.
With so many new features, where do we begin? Let’s start with the network viewpoint.
Enhanced Network Visibility
Since its inception, Cortex XDR could collect network data and apply behavioral analytics and AI to uncover attacks. Now, Cortex XDR extends direct access to network data for threat hunting and custom detection rules. With Cortex XDR, you can:
- Hunt for threats or further investigations by exploring network traffic logs.
- Create granular custom detection rules (BIOCs) based on network data.
- Quickly determine the sequence and scope of an attack by reviewing network and endpoint data together in a new investigation view.
Cortex XDR Agent Script Execution and More
There are times when your analysts may need to perform sweeping actions across multiple endpoints at once. Whether collecting endpoint information, updating settings or immediately stopping fast-spreading attacks, remote script execution provides your team a powerful tool to manage endpoints.
With Cortex XDR agent 7.1 for Windows, MacOS, and Linux, you can run Python 3.7 scripts from the Cortex XDR management console and instantly see the results. A new API allows you to execute Python scripts from management and orchestration tools such as Cortex XSOAR. Out-of-the-box scripts make it easy for your team to take advantage of this powerful new feature.
Cortex XDR agent 7.1 also introduces important new features that secure your endpoints, address compliance requirements and make it easier than ever for you to replace your legacy antivirus with extended detection and response. New endpoint security features include:
- A host firewall for Windows endpoints.
- Disk encryption for Windows endpoints.
- File scanning for macOS endpoints.
- MAC address reporting.
- Full visibility into agent operational status.
MITRE ATT&CK Tagging for Alerts and BIOC Rules
To help your analysts understand attackers’ methods and objectives at each stage of an attack, Cortex XDR now displays the associated MITRE ATT&CK technique and tactic for every alert that relates to the MITRE ATT&CK framework.
Granular Role-Based Access Control (RBAC)
For fine-grained control of individual permissions assigned to users and roles, Cortex XDR now separates what type of views and actions are permitted for each role. Roles are defined in the hub and allow customers to create and save new roles based on a broad set of permissions, edit role permissions, and more.
Alert and Log Forwarding from Cortex XDR
You can configure forwarding policies for alerts, management audit logs, agent audit logs and dashboard reports from the Cortex XDR application. You can also now forward alerts to Slack channels and Syslog servers, in addition to email accounts, and forward audit logs to Syslog servers.
Broker VM Enhancements
To ease the deployment of the Broker VM, you can download the Broker VM images directly from the Cortex XDR management console. The registration and configuration are managed through the following web consoles:
- Broker web console: You can configure and register the Broker VM to Cortex XDR from the web console without needing to access the Broker VM directly.
- Cortex XDR management console: You can manage Broker VM settings through the Cortex XDR management console, including tracking connectivity, editing configurations and enabling realtime monitoring.
Improved Manageability for MSSPs
Cortex XDR now allows Managed Security Services Providers (MSSPs) to easily manage security on behalf of their clients. MSSPs can now:
- Configure profiles, behavioral alert (BIOC) rules, exclusions and starred alerts for each child tenant.
- View alerts, incidents, causality cards and timelines of child tenants from the parent tenant.
- Run investigation queries on child tenants from the parent tenant.
The above features are available with the Cortex XDR agent release 7.1 and later and with Cortex XDR version 2.2 and later. In addition to the features listed above, Cortex XDR includes updates that improve usability, simplify tuning and deployment, enhance APIs, and accelerate analysts’ tasks. For a complete list of new features introduced in March and April, see the Cortex XDR release notes and the Cortex XDR agent release notes.