Cortex XDR Further Extends Network Visibility and Endpoint Control

This conceptual image illustrates the concepts of the extended network visibility and endpoint control in Cortex XDR 2.2.

Threat hunting and response across data sources just got a little easier. Cortex XDR application and agent releases in March and April introduce an amazing array of new features to help your security team identify threats in network traffic, orchestrate response at scale and reduce the attack surface of their endpoints.

With so many new features, where do we begin? Let’s start with the network viewpoint.

Enhanced Network Visibility

Since its inception, Cortex XDR could collect network data and apply behavioral analytics and AI to uncover attacks. Now, Cortex XDR extends direct access to network data for threat hunting and custom detection rules. With Cortex XDR, you can:

Hunt for threats or further investigations by exploring network traffic logs.
Create granular custom detection rules (BIOCs) based on network data.
Quickly determine the sequence and scope of an attack by reviewing network and endpoint data together in a new investigation view.

The new investigation view in Cortex XDR 2.2 displays both network and endpoint context in one place, when both types of data are available. — The Network Causality investigation view displays both network and endpoint context in one place, when both types of data are available. It reveals the endpoint activity for multiple hosts involved in an attack, simplifying analysis of adversary techniques.

Cortex XDR Agent Script Execution and More

There are times when your analysts may need to perform sweeping actions across multiple endpoints at once. Whether collecting endpoint information, updating settings or immediately stopping fast-spreading attacks, remote script execution provides your team a powerful tool to manage endpoints.

With Cortex XDR agent 7.1 for Windows, MacOS, and Linux, you can run Python 3.7 scripts from the Cortex XDR management console and instantly see the results. A new API allows you to execute Python scripts from management and orchestration tools such as Cortex XSOAR. Out-of-the-box scripts make it easy for your team to take advantage of this powerful new feature.

A screenshot of the management console in Cortex XDR 2.2 — Your analysts can easily upload and run scripts from the Cortex XDR management console.

Cortex XDR agent 7.1 also introduces important new features that secure your endpoints, address compliance requirements and make it easier than ever for you to replace your legacy antivirus with extended detection and response. New endpoint security features include:

A host firewall for Windows endpoints.
Disk encryption for Windows endpoints.
File scanning for macOS endpoints.
MAC address reporting.
Full visibility into agent operational status.

MITRE ATT&CK Tagging for Alerts and BIOC Rules

To help your analysts understand attackers’ methods and objectives at each stage of an attack, Cortex XDR now displays the associated MITRE ATT&CK technique and tactic for every alert that relates to the MITRE ATT&CK framework.

A screenshot of the dashboard that displays the top MITRE ATT&CK techniques and tactics associated with Cortex XDR alerts. — A new dashboard displays the top MITRE ATT&CK techniques and tactics associated with Cortex XDR alerts.

Granular Role-Based Access Control (RBAC)

For fine-grained control of individual permissions assigned to users and roles, Cortex XDR now separates what type of views and actions are permitted for each role. Roles are defined in the hub and allow customers to create and save new roles based on a broad set of permissions, edit role permissions, and more.

Alert and Log Forwarding from Cortex XDR

You can configure forwarding policies for alerts, management audit logs, agent audit logs and dashboard reports from the Cortex XDR application. You can also now forward alerts to Slack channels and Syslog servers, in addition to email accounts, and forward audit logs to Syslog servers.

Broker VM Enhancements

To ease the deployment of the Broker VM, you can download the Broker VM images directly from the Cortex XDR management console. The registration and configuration are managed through the following web consoles:

Broker web console: You can configure and register the Broker VM to Cortex XDR from the web console without needing to access the Broker VM directly.
Cortex XDR management console: You can manage Broker VM settings through the Cortex XDR management console, including tracking connectivity, editing configurations and enabling realtime monitoring.

Improved Manageability for MSSPs

Cortex XDR now allows Managed Security Services Providers (MSSPs) to easily manage security on behalf of their clients. MSSPs can now:

Configure profiles, behavioral alert (BIOC) rules, exclusions and starred alerts for each child tenant.
View alerts, incidents, causality cards and timelines of child tenants from the parent tenant.
Run investigation queries on child tenants from the parent tenant.

The above features are available with the Cortex XDR agent release 7.1 and later and with Cortex XDR version 2.2 and later. In addition to the features listed above, Cortex XDR includes updates that improve usability, simplify tuning and deployment, enhance APIs, and accelerate analysts’ tasks. For a complete list of new features introduced in March and April, see the Cortex XDR release notes and the Cortex XDR agent release notes.