{"id":112169,"date":"2020-06-02T12:00:22","date_gmt":"2020-06-02T19:00:22","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=112169"},"modified":"2020-07-30T19:51:19","modified_gmt":"2020-07-31T02:51:19","slug":"cortex-xdr-2-4","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2020\/06\/cortex-xdr-2-4\/","title":{"rendered":"Cortex XDR 2.4: One Small Step for Cortex XDR, One Giant Leap for SecOps"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Close on the heels of <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/04\/cortex-network-visibility\/\"><span style=\"font-weight: 400;\">Cortex XDR 2.2 and 2.3<\/span><\/a><span style=\"font-weight: 400;\">, we are proud to announce the availability of Cortex XDR 2.4, which is jam-packed with new features that enhance detection, investigation and ease of management. From vulnerability assessment to integration with Cortex XSOAR Threat Intel Management, this release has something for everyone. We\u2019ll walk you through the highlights in this blog, but be sure to check out our <\/span><a href=\"https:\/\/docs.paloaltonetworks.com\/cortex\/cortex-xdr\/cortex-xdr-release-notes\/release-information\/features-introduced\/features-introduced-in-2020.html#iddb59f5e7-aac3-4e46-a08d-ab6f7a304416\"><span style=\"font-weight: 400;\">release notes<\/span><\/a><span style=\"font-weight: 400;\"> for all the technical details.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h4><b>Lightning Fast Investigations with Quick Launcher and Pivoting<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Every second counts during a cyberattack, and Cortex XDR is designed to make investigations as efficient as possible. To further reduce the number of clicks required to conduct your investigations, we have introduced Quick Launcher and alert pivoting. Now you can easily conduct common investigation tasks or initiate response actions from anywhere in the Cortex XDR management console.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Use the Quick Launcher to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Search events for host, IP address, domain and hash.<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Blacklist and whitelist processes by hash.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Add domains or IP addresses to an external dynamic list (EDL) blocklist.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Create a new IOC for an IP address, domain or hash.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Open a Live Terminal session, initiate a malware scan or isolate an endpoint.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">You can simply highlight values such as IP addresses or file names in the Cortex XDR management console to pre-populate a query in the Quick Launcher \u2013 avoiding the extra steps of copying and pasting values and navigating to the Query Builder.<\/span><\/p>\n<figure id=\"attachment_112183\" aria-describedby=\"caption-attachment-112183\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:56.33%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-112183 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/06\/Suspicious-ab.png\" alt=\"This screenshot shows the Quick Launcher feature in Cortex XDR 2.4\" width=\"900\" height=\"507\" \/><\/span><\/div><figcaption id=\"caption-attachment-112183\" class=\"wp-caption-text\">The Quick Launcher can be opened from any page using a shortcut key or the Quick Launcher icon in the navigation menu.<\/figcaption><\/figure>\n<p><span style=\"font-weight: 400;\">From the Quick Launcher, you can open the IP View or Hash View to display the essential details you need to know about IP addresses and hashes on one screen. From the IP view, you can view threat intelligence, geolocation and network information as well as related incidents involving the IP address. The Hash View reveals recent process executions, threat intelligence data, and associated incidents and response actions.\u00a0 You can also easily navigate to related incidents for further analysis.<\/span><\/p>\n<figure id=\"attachment_112196\" aria-describedby=\"caption-attachment-112196\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:56.56%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-112196 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/06\/showing-top3.png\" alt=\"This screenshot shows the IP View in Cortex XDR 2.4\" width=\"900\" height=\"509\" \/><\/span><\/div><figcaption id=\"caption-attachment-112196\" class=\"wp-caption-text\">The IP View provides you with rich context about IP addresses you wish to investigate.<\/figcaption><\/figure>\n<figure id=\"attachment_112209\" aria-describedby=\"caption-attachment-112209\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:56.33%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-112209 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/06\/Hash-view.png\" alt=\"This screenshot shows the Hash View in Cortex XDR 2.4\" width=\"900\" height=\"507\" \/><\/span><\/div><figcaption id=\"caption-attachment-112209\" class=\"wp-caption-text\">The Hash View displays essential details about processes and files to expedite investigations.<\/figcaption><\/figure>\n<p><span style=\"font-weight: 400;\">To make investigating attacks easier than ever, Cortex XDR 2.4 supports:<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"font-weight: 400;\"><b>Pivoting between alerts, rules, and incidents<\/b><span style=\"font-weight: 400;\"> \u2013 You can now pivot from an IOC and BIOC rule to the alerts triggered by the rule with a single click, simplifying investigation workflows. You can also pivot from an alert to a related incident.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Alert table enhancements<\/b><span style=\"font-weight: 400;\"> \u2013 You can view, sort and filter endpoint alerts based on MAC address, domain and endpoint operating system, as well as network alerts based on App-ID category, email subject, URL and much more.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Remote Procedure Call (RPC) visibility <\/b><span style=\"font-weight: 400;\">\u2013 When analyzing alerts, you can see <\/span><span style=\"font-weight: 400;\">whether<\/span><span style=\"font-weight: 400;\"> local or remote processes used RPC requests or code injection to initiate events on other processes. These insights can quickly expose malicious activity. <\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h4><b>Integration with Cortex XSOAR Threat Intel Management\u00a0<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Spotting indicators of compromise can help you quickly find and root out adversaries. A new API in Cortex XDR 2.4 enables you to outpace adversaries by consuming threat intelligence feeds from third-party sources in JSON and CSV formats. In addition, native integration with Cortex XSOAR Threat Intel Management allows you to have granular control over which indicators to provide to Cortex XDR for IOC-based detection. By gathering threat intelligence data, you can identify threats hiding in your security data. Integration with Cortex XSOAR is expected to be available on June 9.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h4><b>Vulnerability Assessment<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">With thousands of new vulnerabilities reported every year, many security teams struggle to find and assess the vulnerabilities in their organizations. Cortex XDR 2.4 alleviates those challenges by identifying and prioritizing your security vulnerabilities. From the Cortex XDR management console, you can view the vulnerabilities detected on your Linux endpoints by CVE or by host.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Additionally, Cortex XDR provides you with a list of all applications installed on your Windows and Linux endpoints and indicates the CVEs only where they exist, providing you with an application inventory of your network.\u00a0<\/span><\/p>\n<p><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:56.33%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter wp-image-112222 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/06\/Vuln-assess.png\" alt=\"This screenshot shows the vulnerability assessment view in Cortex XDR 2.4\" width=\"900\" height=\"507\" \/><\/span><\/div><\/p>\n<p><span style=\"font-weight: 400;\">To help you understand vulnerability severity, Cortex XDR retrieves the latest data for each CVE from the <\/span><a href=\"https:\/\/nvd.nist.gov\/\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">NIST National Vulnerability Database<\/span><\/a><span style=\"font-weight: 400;\">, including CVE severity and metrics.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h4><b>Okta and Azure Active Directory Log Support<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Authentication logs allow you to unearth unusual user activity like credential abuse. By searching for suspicious activity, such as a user signing in from an external IP address, you can track down user-based attacks.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In addition to Kerberos and Windows Event Logs, Cortex XDR now collects authentication data from Okta and Microsoft Azure Active Directory. It automatically normalizes these logs from both cloud-based authentication services<\/span><span style=\"font-weight: 400;\"> and provides a platform to query and review authentication sessions<\/span><span style=\"font-weight: 400;\">. You can hunt for and investigate threats by searching through authentication logs with the Query Builder or text-based queries.<\/span><\/p>\n<figure id=\"attachment_112235\" aria-describedby=\"caption-attachment-112235\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:69.67%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-112235 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/06\/SaaS-log.png\" alt=\"This screenshot shows the SaaS Log Collection View in Cortex XDR 2.4\" width=\"900\" height=\"627\" \/><\/span><\/div><figcaption id=\"caption-attachment-112235\" class=\"wp-caption-text\">Configuration to collect authentication logs from Microsoft Azure Active Directory.<\/figcaption><\/figure>\n<h4><\/h4>\n<h4><b>Supercharged Threat Hunting<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Our Query Builder is an intuitive search tool, allowing analysts of all skill levels to conduct investigations without needing to learn a new query language. However, advanced threat hunters may wish to perform advanced queries quickly and use more complex query parameters like wildcards. In Cortex XDR 2.4, these power users can execute simple or complex text-based queries to search across all their data in Cortex XDR.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With Native Search, currently available as a beta feature, you have the flexibility to quickly query any information you want, or to copy, edit and paste previous queries. As you type a query, the Native Search feature will help by autocompleting fields based on the known log fields. You can also use regex and wildcards in your queries and can string multiple queries together.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h6><span style=\"font-weight: 400;\">Examples of text-based queries include:<\/span><\/h6>\n<ul>\n<li style=\"font-weight: 400;\"><b>ne<\/b><b>twork connections <\/b><span style=\"color: #800080;\"><b>AND<\/b><\/span><b> palo alto networks.app id <\/b><span style=\"color: #3366ff;\"><b>=<\/b><\/span><b> facebook<\/b><\/li>\n<li style=\"font-weight: 400;\"><b>okta.sso <\/b><span style=\"color: #800080;\"><b>AND<\/b><\/span><b> ip <\/b><span style=\"color: #3366ff;\"><b>!=<\/b><\/span><b> 10.0.*<\/b><\/li>\n<li style=\"font-weight: 400;\"><b>palo alto networks.file create.file name <\/b><span style=\"color: #3366ff;\"><b>=~<\/b><\/span><b> \u201d.+?\u201d<\/b><\/li>\n<li style=\"font-weight: 400;\"><b>cortex xdr agent <\/b><span style=\"color: #800080;\"><b>AND<\/b><\/span><b> palo alto networks.dst process name <\/b><span style=\"color: #800080;\"><b>CONTAINS<\/b><\/span><b> chrome<\/b><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">(If you prefer that Unit 42 experts track down threats for you, check out the recently announced <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/05\/cortex-xdr-managed-threat-hunting\/\"><span style=\"font-weight: 400;\">Cortex XDR Managed Threat Hunting<\/span><\/a><span style=\"font-weight: 400;\"> service.)<\/span><\/p>\n<p>&nbsp;<\/p>\n<h6><span style=\"font-weight: 400;\">But that\u2019s not all\u2026Cortex XDR 2.4 also includes <\/span><i><span style=\"font-weight: 400;\">even more<\/span><\/i><span style=\"font-weight: 400;\"> enhancements:<\/span><\/h6>\n<ul>\n<li style=\"font-weight: 400;\"><b>Interactive Script Execution <\/b><span style=\"font-weight: 400;\">\u2013 You can now initiate scripts in<\/span> <span style=\"font-weight: 400;\">Interactive Mode to run multiple scripts on pre-defined endpoints, track the execution progress and view the results in real time.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>APIs <\/b><span style=\"font-weight: 400;\">\u2013 New API fields and values provide you better visibility and control over endpoint scans as well as blacklisted and whitelisted hashes.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>MSSP Management<\/b><span style=\"font-weight: 400;\"> \u2013 MSSPs can quickly investigate and hunt for threats in their customers\u2019 environments by executing searches in the Query Builder across multiple Cortex XDR tenants at once.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Broker Service <\/b><span style=\"font-weight: 400;\">\u2013 You can now securely access the Broker VM using SSH and public key encryption.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">For a complete list of new features in Cortex XDR 2.4 see the<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><a href=\"https:\/\/docs.paloaltonetworks.com\/cortex\/cortex-xdr\/cortex-xdr-release-notes\/release-information\/features-introduced\/features-introduced-in-2020.html#iddb59f5e7-aac3-4e46-a08d-ab6f7a304416\"><span style=\"font-weight: 400;\">Cortex XDR release notes<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cortex XDR 2.4 is packed with features that enhance detection, investigation and ease of management, from vulnerability assessment to integration with Cortex XSOAR Threat Intel Management.<\/p>\n","protected":false},"author":370,"featured_media":112170,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6770],"tags":[6737,4069,673,635],"coauthors":[3907],"class_list":["post-112169","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-future","tag-cortex-xdr","tag-secops","tag-security-operations-center","tag-soc","sec_ops_category-product-features"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/06\/Cortex-fire.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/112169","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/370"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=112169"}],"version-history":[{"count":8,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/112169\/revisions"}],"predecessor-version":[{"id":117068,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/112169\/revisions\/117068"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/112170"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=112169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=112169"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=112169"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=112169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}