Cortex XDR 2.6: Better Search for Better Threat Hunting

On Nov. 1, we released Cortex XDR 2.6, the latest in a series of updates that break down security silos and cross traditional product boundaries to stop ever more sophisticated attacks. Cortex XDR 2.6 introduces a groundbreaking security search engine that combines a rich query language with a deep understanding of data to bring your investigation and threat hunting capabilities to the next level.

With XQL search, we’ve brought advanced query options – traditionally only available with log management and security information and event management (SIEM) solutions – to our detection and response platform. Now, your team can search across XDR data, merge findings from multiple data sources and explore over 800 catalogued fields to find stealthy threats. Investigations that previously required multiple queries across siloed tools can be performed in a snap with XQL search.

 

Hunt Down Stealthy Threats with XQL Search

With flexible XQL search, you can unearth almost any threat using a broad set of search commands and options. XQL search allows you to find adversary tactics across the attack lifecycle and hunt down stealthy attack behaviors by constructing laser-precise queries. You can also search for indicators of compromise (IoCs) in your data to reveal malicious activity that might otherwise be virtually impossible to find.

The image shows some use cases for XQL search in Cortex XDR 2.6. These include Brute Force: Search for top 10 users with most failed logins; Lateral Movement: Search for SSH or RPC traffic from unmanaged devices; Exfiltration: Look for large uploads from legitimate tools like PowerShell & FTP; Malware: Investigate unsigned apps intalled < 5 times; and Evasion: Hunt for renamed system utilities

 

Find the Answer to Your Security Questions

To reduce response time, your team needs to quickly triage and verify alerts. With XQL search, your analysts can accelerate investigations by filtering, aggregating and editing search results. They can easily find what they’re looking for using regex and JSON syntax. They can even identify anomalies and understand the impact of attacks by reviewing past activity, including the number of events and the volume of data transfers.

 

This is a view of the XQL search feature in the Cortex XDR 2.6 management console, showing options including use dataset, use filter and use fields.
XQL Search Feature in the Cortex XDR management console

 

Get Started Quickly with Advanced Query Features

Our new search capability puts the power of XDR data at your fingertips, but it also lets you ramp up swiftly with in-product help. It offers autocomplete predictions as you type search commands. A growing library of query examples allow you to easily execute common searches.

 

A growing library of query examples allow you to easily execute common searches on XQL data.
The Cortex XDR Query Library

 

Visualize Search Results

If a picture is worth a thousand words, a chart is worth a thousand rows in a table. With XQL search, you can instantly understand trends and identify anomalies by reviewing pertinent statistics and charts. Simply display your XQL query results as charts or create new query-based widgets in the Cortex XDR dashboard to view graphical representations of your data.

Display your XQL query results as charts or create new query-based widgets in the Cortex XDR dashboard to view graphical representation of your data.
Cortex XDR charts

In addition to our new XQL query language for truly accelerated threat hunting and investigations, we have also introduced:

  • Google Cloud Platform log ingestion.
  • Host inventory for macOS and Linux operating systems.
  • New dashboard charts and widgets, including group-based widgets.
  • CyberArk authentication for Pathfinder endpoint data collection.
  • The ability to open the analysis view, the timeline view and other management pages in the same tab or in a new tab.

For a complete list of new features in Cortex XDR 2.6, see the Cortex XDR release notes. See Cortex XDR licenses to find out which features are available with Cortex XDR Prevent, Cortex XDR Pro per Endpoint and Cortex XDR Pro per TB.

To learn more about XQL search and other recent Cortex XDR enhancements, be sure to watch the keynote sessions at Palo Alto Networks Ignite ’20.