Previous Release Notes for Cisco XDR in 2025

Release Date: August 13, 2025

New Features and Updates

Note: Only sections with new customer-facing features or updates in this release are listed below.

Feature

Description

Help Topic

Default value in JSONPath query

Now you have the option to set a default value for the result of a JSONPath query. We’ve added Override with specified value if query doesn't return a result within the properties of the query activity. Enable the option under the query and you can provide a value matching the data type to be used as a fallback in case the query returns no result. The result no longer being empty can help prevent the workflow from failing if downstream logic is expecting a consistent structure.

JSONPath Query

Object and array data types in JSONPath and XPath queries

We’ve added support for both object and array data types to the JSONPath Query and XPath Query core activities. Now both Object and Array are available in the Property Type drop-down menu.

JSONPath Query

XPath Query

Help update

Added new OVA file information to Configure and Deploy the Virtual Appliance in the Remote Setup and Deployment topic.

Remote Setup and Deployment

Release Date: July 30, 2025

New Features and Updates

Note: Only sections with new customer-facing features or updates in this release are listed below.

Feature

Description

Help Topic

Investigate observables added to Observables drawer in incident details

You can now select up to 200 observables in the Observables drawer on the Overview page and click Investigate observables to start a new investigation for the selected observables in a new tab.

Overview

Tasks tab added to the Playbooks page

The Tasks tab has been added to the Playbooks page and it allows you to view and manage tasks within your organization. You can create and add custom tasks to custom playbooks.

When creating or editing a playbook, you now select the tasks you want to add to the playbook from the new Tasks drawer.

Tasks

Playbooks List

Playbooks

Editor tab renamed to Playbooks on the Playbooks page

The previous Editor tab on the Playbooks page has been renamed to Playbooks.

Playbooks List

Apply and Cancel buttons removed from Filters drawer

The Apply and Cancel buttons have been removed from the Filters drawer on the Incidents page. The filter criteria is now automatically applied and the incidents list refreshes as you select the filter criteria.

Incidents

Feature

Description

Help Topic

Add a workflow to the Tasks tab

Now you can add a validated workflow with an intent of either Incident Response or Playbook directly to the tasks on the Playbooks page.

When creating or editing a workflow using the Workflow Editor, click Share and choose Add to Playbook Task Catalog.

Workflow Editor

Playbooks

Help update

Added a note to the SMTP Endpoint Target topic to explain why it no longer works for Gmail accounts.

SMTP Endpoint Target

Feature

Description

Help Topic

Help update

The following update has been made to the Help:

  • Added a note to the Devices topic to explain that it can take up to 15 minutes for new or updated rules to be applied to existing devices.

Devices

Feature

Description

Help Topic

Help update

The following update has been made to the Help:

  • Added a note to the Deployment Management topic to clarify that Cisco Support does not assist with troubleshooting third-party software management tools.

Deployment Management

Feature

Description

Help Topic

Google Chronicle renamed to Google SecOps

The Google Chronicle integration has been renamed to Google SecOps.

Help updates

The following updates have been made to the Help:

  • The following integration topics have been updated to include Detection findings in the What's Next section: Secure Endpoint Integration, Secure Network Analytics Integration, Secure Email Threat Defense Integration, Secure Access Integration, CrowdStrike Falcon Integration, Microsoft Defender for Endpoint Integration, Microsoft Defender for Office 365 Integration, SentinelOne Singularity Integration, and Proofpoint Threat Protection Integration.

  • The Google SecOps integration has been tested and certified by Cisco Quality Assurance labs and it has been added to the Cisco and Third-Party Integrations and Supported Capabilities topic as supported third-party integration in Cisco XDR.

  • Updated the Cisco Identity Intelligence Integration topic to include a list of supported integrations.

  • Updated the Configure GCP to Generate VPC Flow Logs and Enable APIs section of the Google Cloud Platform Integration topic.

Secure Endpoint Integration

Secure Network Analytics Integration

Secure Email Threat Defense Integration

Cisco Secure Access Integration

CrowdStrike Falcon Integration

Microsoft Defender for Endpoint Integration

Microsoft Defender for Office 365 Integration

SentinelOne Singularity Integration

Proofpoint Threat Protection Integration

Google SecOps Integration

Cisco Identity Intelligence Integration

Google Cloud Platform Integration

Feature

Description

Help Topic

MITRE tactic updates in ribbon

The MITRE TTP widget in the upper right corner of an incident in the incidents app in ribbon is now a MITRE tactic tag. Click the tag to open the MITRE Tactics popup to view a list of tactics and techniques impacting the incident.

Incidents App

Release Date: July 16, 2025

New Features and Updates

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Events table updates on the Detection page

The following updates have been made to the Events tab on the Detection page in incident detail:

  • You can now drag column headers to reorder the columns.

  • The new (Settings) icon has been added to the events table for customizing the columns.

Detection

Feature

Description

Help Topic

Events table updates on the Investigation Results page

The following updates have been made to the Events tab on the Investigation Results page in incident detail:

  • You can now drag column headers to reorder the columns.

  • The new (Settings) icon has been added to the events table for customizing the columns.

Events

Investigation Results

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Runs page

The Runs page has been redesigned and improved to streamline the process of finding, inspecting, and troubleshooting executions of workflows in your environment.

Runs

Webhook API key

To improve security, the API key for webhooks has been moved from the webhook URL to the new x-automate-api-key header.

Webhooks

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Release Date: July 7, 2025

New Features and Updates

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Risk score enhancements

Improvements have been made to the TTP-based risk of financial loss used to calculate the risk scores for techniques displayed on the MITRE ATT&CK® Coverage Map page. This update reflects the latest insight into cyber risks and losses and it leverages a comprehensive new dataset, encompassing over 90,000 cyber incidents, and derived from credible and publicly verifiable sources. By integrating new data on risk into the assessment, the updated score provides a more precise and contextualized evaluation of threats. Over 110 MITRE TTP risk score values have been revised to align with the current threat landscape, resulting in an improved risk score and more effective incident prioritization tailored to today's risks.

View issues menu option removed from Options menu in dashboard card

The View issues menu option has been removed from the Options menu when you click the (Ellipsis) icon in the upper right corner of the dashboard card. You can continue to view issues using the View API information option in the Options menu.

Dashboard and Card Settings

Help update

The following update has been made to the Help:

  • Added dashboard cards for the Red Sift Pulse integration to the Integration Cards topic.

Integration Cards

Feature

Description

Help Topic

Delete incident dialog box update

The dialog box that appears when you delete an incident has been updated with a new Confirm Delete title and the check box to confirm the deletion before you can click Delete has been removed.

Incidents

Execute button update on Response page

The Execute button in the observables drawer on the Response page has been moved from the upper portion of the drawer to the lower portion of the drawer.

Response

Incident priority score enhancements

Improvements have been made to the TTP-based risk of financial loss used to calculate the priority score for new incidents after the 2.45 (July 7th, 2025) release. This update reflects the latest insight into cyber risks and losses and it leverages a comprehensive new dataset, encompassing over 90,000 cyber incidents, and derived from credible and publicly verifiable sources. By integrating new data on risk into the assessment, the updated score provides a more precise and contextualized evaluation of threats. Over 110 MITRE TTP risk score values have been revised to align with the current threat landscape, resulting in an improved incident priority score and more effective incident prioritization tailored to today's risks.

Last seen added to Event drawer

The Event drawer on the Detection page in incident details now displays the Last seen date and time, if applicable.

Detection

Help updates

The following updates have been made to the Help:

  • Updated the Group/Ungroup graph control description in the Overview topic.

  • Updated the Incidents topic to remove an outdated note.

Overview

Incidents

Feature

Description

Help Topic

Last seen added to Event drawer

The Event drawer on the Investigation Results page now displays the Last seen date and time, if applicable.

Events

Feature

Description

Help Topic

Judgments table updates

The Reason column has been removed from the judgments table in the Judgments tab, and the Confidence column has been added to the table. It displays the confidence level of the system that produced the data of its accuracy.

Judgments

Help updates

The following updates have been made to the Help:

  • Updated screenshots in the following topics to align with the UI: Intelligence, Judgments, Indicators, Events, and Feeds.

Intelligence

Judgments

Indicators

Events

Feeds

Feature

Description

Help Topic

Help updates

These updates have been made to the Help:

  • Added a link to Cisco XDR Connect to the Atomic Actions topic.

  • Added a link to Cisco XDR Learning Labs to the Frequently Asked Questions topic.

  • Added Remote package file name information to the Remote Setup and Deployment topic.

Atomic Actions

Frequently Asked Questions

Remote Setup and Deployment

Feature

Description

Help Topic

User Details drawer

User names and email addresses included in the Users seen column on the Devices page, the Users section of the Device Details drawer, and the Associated users on the Device Overview tab on the Device Details page now open the User Details drawer to provide a summary of the selected user's information.

Devices

Device Overview

Google Cloud Platform support

The Google Cloud Platform third-party integration is now supported source for the Devices page.

Devices

Google Cloud Platform Integration

Help updates

The following updates have been made to the Help:

  • Added Google Cloud Platform to the Sources topic.

  • Updated screenshots in the Users and User Details topics to align with the UI.

Sources

Users

User Details

Feature

Description

Help Topic

Help update

The following update has been made to the Help:

  • Added a note to the Deployment Management topic to clarify if your endpoint does not have OpenGL installed, you will need to install the deployment using -q in the command line.

Deployment Management

Feature

Description

Help Topic

On-Premises Appliances page updates

The previous Generate Token and Delete icons in the Actions column are now menu items when you click the new (Ellipsis) icon in the Actions column.

On-Premises Appliances

Feature

Description

Help Topic

Google Cloud Platform integration added to Integrations page

The Google Cloud Platform integration has been added to the Third-Party tab on the Integrations page. Cisco XDR consumes network traffic data, including Virtual Private Cloud (VPC) flow logs, from your Google Cloud Platform (GCP) public cloud network. It then performs dynamic entity modeling by running analytics on that data to detect threats and indicators of compromise. Cisco XDR consumes VPC flow logs directly from your GCP account using across-account IAM service account with the proper permissions.

If you have an existing Google Cloud Platform integration through Secure Cloud Analytics, you will continue to ingest the configured Virtual Private Cloud (VPC) flow logs. However, you will not be able to update your GCP service account credentials using the Secure Cloud Analytics portal. We recommend moving your GCP integration configuration to Cisco XDR to take advantage of the Workload Identity Federation (WIF) credentials, and then deleting the integration in Secure Cloud Analytics to avoid duplicate data ingestion.

Cisco and Third-Party Integrations and Supported Capabilities

Google Cloud Platform Integration

Attack Surface Management integration removed from Integrations page

The Attack Surface Management integration has been removed from the Cisco tab on the Integrations page due to the End-of-Life announcement of Cisco Attack Surface Management. For more information, see End-of-Sale and End-of-Life Announcement for the Cisco Attack Surface Management (formerly known as Secure Cloud Insights).

If you have an existing Attack Surface Management integration configured, you can continue to access the dashboard cards in Control Center.

Cisco and Third-Party Integrations and Supported Capabilities

Help updates

The following updates have been made to the Help:

  • The following integration topics have been added to the Cisco XDR help: Microsoft Graph Security API Integration, Microsoft Intune Integration, PagerDuty Integration, Rubrik Security Cloud Integration, ServiceNow Integration, Omnissa Workspace ONE UEM Integration, xMatters Integration, MISP Integration, Graylog Cloud Integration, Palo Alto Networks Firewalls with Strata Logging Service Integration, Palo Alto Networks Cortex XDR Integration, Radware Cloud DDoS Protection Service Integration, Radware Cloud WAF Service Integration, Red Sift Pulse Integration, and Trend Vision One Integration. The link to the topic has been added to the Cisco and Third-party Integrations and Supported Capabilities topic.

  • The Attack Surface Management Integration topic has been removed from the Cisco XDR help.

  • The MISP and Graylog Cloud integrations have been tested and certified by Cisco Quality Assurance labs and they have been added to the Cisco and Third-Party Integrations and Supported Capabilities topic as supported third-party integrations in Cisco XDR.

  • Updated the Dashboard column from No to Yes for the Red Sift Pulse integration in the Cisco and Third-Party Integrations and Supported Capabilities topic.

  • Updated the Cisco and Third-party Integrations and Supported Capabilities topic to include a note to follow the configuration steps for any of the integrations.

Cisco and Third-Party Integrations and Supported Capabilities

Microsoft Graph Security API Integration

Microsoft Intune Integration

PagerDuty Integration

Rubrik Security Cloud Integration

ServiceNow Integration

Omnissa Workspace ONE UEM Integration

xMatters Integration

MISP Integration

Graylog Cloud Integration

Palo Alto Networks Firewalls with Strata Logging Service Integration

Palo Alto Networks Cortex XDR Integration

Radware Cloud DDoS Protection Service Integration

Radware Cloud WAF Service Integration

Red Sift Pulse Integration

Trend Vision One Integration

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Release Date: June 18, 2025

New Features and Updates

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Display Settings drawer updates

The following updates have been made to the Display Settings drawer when you click the (Settings) icon in the incidents table:

  • The previous Select columns drawer had been renamed to Display Settings.

  • When you click Reset to defaults in the Display Settings drawer, it now resets the table column settings to its default values. Previously, it displayed all the columns in the incidents table.

 Incidents

Attack graph updates

The following updates have been made to the attack graph in incident details:

  • The Orientation icon has been replaced by the new (Layout) icon in the graph controls with the following menus: Organic, Lens, Structural, Radial, Sequential Down, Sequential Up, Sequential Right, and Sequential Left.

  • The / (Group/Ungroup) icon has been added to the graph controls. Click the Group or Ungroup icon to group or ungroup the nodes on the graph based on node conditions, node count, and user selection.

Overview

Actions Taken panel update

The Actions Taken panel in the Node drawer now displays observable data for the remedial actions, if available.

Overview

Help update

The following update has been made to the Help:

  • Updated the Incident Rules link to Incident Response Rules in the Assignment Rules topic.

Assignment Rules

Feature

Description

Help Topic

Relations graph update

The previous Sequential menu option in the graph controls when you click the (Layout) icon has been updated to Sequential Down, Sequential Up, Sequential Right, and Sequential Left.

Relations Graph

Actions Taken panel update

The Actions Taken panel in the Node drawer now displays observable data for the remedial actions, if available.

Investigation Results

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Rate limits

To preserve resources and ensure the integrity and performance of the platform, the system is allowed to process up to 50,000 events within each 24-hour period. If 100% of the daily limit is reached, any excess event is rejected, and you receive a notification event in the event history and a system notification in the XDR header stating when the limit will be reset.

Automation Rules

Help updates

These updates have been made to the Help:

  • Added how to avoid a timeout from paginated output to the Execute Terminal Command(s) topic.

  • Added a note about the upload and download activities to the File Operations topic.

  • Added the size limits for emails to the Email Rule topic.

  • Added the payload size limit for webhooks to the Webhook Rule topic.

  • Added a link to Cisco XDR Connect to the Workflows topic.

Execute Terminal Command(s)

File Operations

Email Rule

Webhook Rule

Workflows

Feature

Description

Help Topic

Google Chromebooks support

The Google Chromebooks third-party integration is now supported for device data on the Devices page.

Devices

Help updates

The following updates have been made to the Help:

  • Added Google Chromebooks to the Sources topic.

  • Renamed the VMWare Workspace One UEM integration to Omnissa Workspace ONE UEM in the Sources topic.

Sources

Feature

Description

Help Topic

Help updates

The following updates have been made to the Help:

  • Added a note to the Create Deployment topic explaining that modules with a specific release version selected in a deployment will be disabled if the version has been deprecated.

  • Added the Operating System and Architecture Support section to the Create Deployment topic.

Create Deployment

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

VMWare Workspace One UEM integration renamed to Omnissa Workspace ONE UEM

The VMWare Workspace One UEM integration has been renamed to Omnissa Workspace ONE UEM.

Cisco and Third-Party Integrations and Supported Capabilities

Google Chromebooks integration added to Integrations page

The Google Chromebooks integration has been added to the Third-Party tab on the Integrations page. Google Chromebooks run Google's Chrome OS, a lightweight operating system designed primarily for web-based applications that has cloud storage, the best of Google built-in, and multiple layers of security. The Google Chromebooks integration allows you to retrieve enrolled ChromeOS device's properties automatically from Google Cloud Platform providing visibility and detections for this device type.

Cisco and Third-Party Integrations and Supported Capabilities

Google Chromebooks

Slack integration scopes updated on Slack integration page

The required scopes for the Slack integration on the Integrations page have been updated to include additional scopes needed for the notification feature. If you have an existing Slack integration configured, you must update the scopes for your Slack app to match the scopes listed for the Slack integration in Cisco XDR. After you update the scopes, you will need to reinstall the Slack app to your workspace to allow the new scopes to take effect. For details, including the updated scopes list, see the Integration Guide area on the Slack integration page in Cisco XDR.

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Release Date: May 28, 2025

New Features and Updates

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

System Status area removed from User Profile

The System Status area has been removed from the User Profile drop-down list in the upper right corner of the Cisco XDR header.

Navigate Cisco XDR

Feature

Description

Help Topic

Dashboard card enhancements

The following UI enhancements have been made to the cards on the Dashboards page:

  • The (Grabber) icon is now displayed when you hover over the upper left corner of the card.

  • The Refresh (Refresh) icon is now a menu option when you click the (Ellipsis) icon in the upper right corner of the card.

  • The (Expand) icon is now a menu option when you click the (Ellipsis) icon in the upper right corner of the card.

Dashboard and Card Settings

Default Cards

Secure Client integration cards renamed in Customize Dashboards

The following cards for the Secure Client integration have been renamed in the Customize Dashboards dialog box:

  • The previous Computer Summary card has been renamed to Cloud Management Failures Summary.

  • The previous Unified Connector Stats card has been renamed to Cloud Management Statistics.

Default Cards

Help updates

The following updates have been made to the Help:

  • Added the ATT&CK version number and version history link to the MITRE ATT&CK® Coverage Map topic.

  • Added links to the integration topics in the list of product integrations.

 MITRE ATT&CK® Coverage Map

Feature

Description

Help Topic

Download events in JSON format on Detections page

You can now download the events in the detections table in JSON format. Click the new Download JSON button on the Detection page in incident details.

 Detection

Feature

Description

Help Topic

Detection findings tab added to the Investigate page

You can now view all the security events generated by integrated products and the Cisco XDR native telemetry sent from the Network, Cloud, Identity, and Endpoint sources in the new Detection Findings tab on the Investigate page. The security events allow you to validate the data that is ingested by Cisco XDR for incident correlation.

When you click a security event in the list, the Detection Findings drawer opens where you can quickly view the Detection Findings and related Activities from the security event. The security event details are displayed using the Industry Standard Open Cybersecurity Schema Framework (OCSF), version 1.4.

Investigate

Detection Findings

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Help updates

The following updates have been made to the Help:

  • Added new targets for the Cisco Identity Intelligence and Splunk Enterprise integrations to the Targets Created From Integrations topic.

  • Added a new OVA file to Configure and Deploy the Virtual Appliance in the Remote Setup and Deployment topic.

  • Renamed Incident Rule to Incident Response Rule in pertinent topics.

Targets Created From Integrations

Remote Setup and Deployment

Automation Rules

Incident Response Rule

Workflow Intent

Feature

Description

Help Topic

Identity Intelligence

The Cisco Identity Intelligence integration is now supported for user data integration. Cisco Duo, Microsoft Entra ID, and more are configured in Identity Intelligence. The Users page now displays users identified by Identity Intelligence, which provides more data about the users in your organization, including users with failed checks, and users not using multi-factor authentication (MFA).

Users

User Details

Sources

Help updates

The following updates have been made to the Help:

  • Updated the Users and User Details topics for the Cisco Identity Intelligence integration support.

  • Added Cisco Identity Intelligence to the Sources topic.

Users

User Details

Sources

Feature

Description

Help Topic

Orbital module

The Orbital module is available for Windows amd64 deployments. Orbital provides endpoint visibility and control. It allows you to run queries and scripts to investigate and respond to threats.

Create Deployment

Secure Access Root Certificate module

The Cisco Secure Access Root Certificate module is available for Windows deployments. This module installs the Cisco Secure Access Root Certificate into the host computer's certificate store. A Certificate Authority (CA) signed root certificate is required where Cisco Secure Access must proxy and decrypt HTTPS traffic that requests a web resource.

Create Deployment

Help updates

The following updates have been made to the Help:

  • Updated the Create Deployment and Deployment Management topics for Orbital and Secure Access Root Certificate support.

  • Updated the screenshots in the Create Deployment, Deployment Management, and Deployments topics to align with the UI.

Create Deployment

Deployment Management

Deployments

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Splunk Enterprise integration added to the Integrations page

The new Splunk Enterprise integration has been added to the Cisco tab on the Integrations page. Splunk Enterprise is a powerful data analytics platform that allows you to collect, index, and analyze data from any source across your IT environment. It is typically deployed on-premises or in private cloud infrastructure, giving full control over data, security, and system management.

The Splunk Enterprise integration creates a target in Cisco XDR Automation for automated workflows, exports incident and other data to Splunk Enterprise using Automation workflow, and enables querying of security detections across Network Traffic, Malware, Data Loss Prevention, and Intrusion Detection CIM-compliant data for observables such as IP addresses, hostnames, file names, file paths, MD5 hashes, and SHA-256 hashes.

Cisco and Third-Party Integrations and Supported Capabilities

Splunk Enterprise Integration

Cisco Identity Intelligence integration added to the Cisco tab on the Integrations page

The new Cisco Identity Intelligence integration is now available in the Cisco tab on the Integrations page. Cisco Identity Intelligence allows you to gain full visibility over all your identities. This is accomplished by bringing in a vast amount of data on identities from a range of sources including traditional identity sources like Entra ID (formerly Azure AD), Duo, and Okta, non-traditional sources like Github, Google, or Salesforce, and HR systems, such as Workday.

Cisco and Third-Party Integrations and Supported Capabilities

Cisco Identity Intelligence Integration

Help updates

The following updates have been made to the Help:

  • Updated the Asset Insights and Context column from Yes to No for the Microsoft Entra ID integration in the Cisco and Third-Party Integrations and Supported Capabilities topic.

  • The following integration topic has been added to the Cisco XDR help: Microsoft Entra ID Integration, Pulsedive Integration, Slack Integration, Threatscore Integration, urlscan.io Integration, and VirusTotal Integration. The link to the topic has been added to the Cisco and Third-Party Integrations and Supported Capabilities topic.

Cisco and Third-Party Integrations and Supported Capabilities

Microsoft Entra ID Integration

Pulsedive Integration

Slack Integration

Threatscore Integration

urlscan.io Integration

VirusTotal Integration

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Release Date: May 14, 2025

New Features and Updates

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Unknown disposition icon removed from incidents

The (Unknown) disposition icon has been removed from the attack graph nodes and observables on the Incident Detail page. No icon is displayed if the node or observable has an unknown disposition.

Navigate Cisco XDR

Overview

Incident Detail

Detection

Response

Cisco Managed tasks added to Identification phase on Response page

If applicable, the Cisco Managed tasks that are automatically generated by Cisco AI based on the observables for the incident are now displayed at the top of the list of tasks in the Identification phase on the Response page. Click the task link and an AI-generated response is displayed in a drawer. You can also add a manual note to document the response.

Response

Help updates

The following updates have been made to Help:

  • Added a note to the View AI-Generated Summary Information section in the Report topic to clarify that the endpoint data timestamp displayed is the detection time.

  • Added a link to the Incident Rule topic in the Assignment Rules topic.

Report

Assignment Rules

Feature

Description

Help Topic

Unknown disposition icon removed from investigate

The (Unknown) disposition icon has been removed from the relations graph nodes and observables on the Investigation Results page. No icon is displayed if the node or observable has an unknown disposition.

Navigate Cisco XDR

Investigation Results

Relations Graph

Assets and Observables

Feature

Description

Help Topic

Unknown disposition icon removed from intelligence

The (Unknown) disposition icon has been removed from the observables on the Intelligence page. No icon is displayed if the observable has an unknown disposition

Judgments

Indicator Detail

Feature

Description

Help Topic

Condensed display fields for input variables in atomic and child workflow properties

We've made it easier to configure and scan through input variables in atomic and child workflows. In the Workflow Editor, when you click the atomic or child workflow to view its properties, expand the Input section. We've condensed the editor windows to reduce the amount of up and down scrolling in the Properties panel.

For example, for input values in JSON format:

  • When the value is empty, just one blank line is shown, to avoid taking up unnecessary space.

  • While entering or editing the value, the field is expanded to show more lines for a better editing experience.

Workflow Editor

Feature

Description

Help Topic

Third-Party integration support

Microsoft Defender for Endpoint GCC is now a supported source for the Devices page.

Devices

Sources

Upcoming transition to Identity Intelligence for Cisco XDR user data integrations

Between April 30 and May 26, Cisco XDR User Insights integrations for Microsoft Entra ID and Duo will migrate to Identity Intelligence via Security Cloud Control. Notification emails are being sent out with important information about these changes and the necessary steps to ensure uninterrupted access to user context in User Insights.

-

Help update

The following update has been made to the Help:

  • Added Microsoft Defender for Endpoint GCC to the Sources topic.

Sources

Feature

Description

Help Topic

Windows arm64 deployments

You can now create custom deployments for Windows arm64. Cloud Management, Secure Client, and Zero Trust Access modules are supported.

Deployments

Help updates

The following updates have been made to the Help:

  • Updated the Create Deployment topic for Windows arm64 support.

  • Updated the screenshots in the Create Deployment and Device Events topics to align with the UI.

Create Deployment

Device Events

Feature

Description

Help Topic

On-Premises Appliances page updates

The following updates have been made to the On-Premises Appliances page:

  • Customize Filters icon has been renamed to Filters.

  • The (Refresh) icon is now a Refresh button to the left of the Generate Token button.

  • The (Settings) has been replaced by the Actions column name.

On-Premises Appliances

Feature

Description

Help Topic
Help updates

The following updates have been made to the Help:

  • The Sumo Logic Log Management integration has been tested and certified by Cisco Quality Assurance labs and it has been added to the Cisco and Third-Party Integrations and Supported Capabilities topic as supported third-party integration in Cisco XDR.

  • Updated the Asset Insights and Context column from No to Yes for the Microsoft Defender for Endpoint GCC integration in the Cisco and Third-Party Integrations and Supported Capabilities topic.

  • The following integration topics have been added to the Cisco XDR help: Microsoft Defender for Endpoint Integration, Microsoft Defender for Office 365 Integration, Microsoft Defender for Endpoint GCC Integration, and Microsoft Defender for Office 365 GCC Integration. The links to the topics have been added to the Cisco and Third-Party Integrations and Supported Capabilities topic.

Cisco and Third-Party Integrations and Supported Capabilities

Sumo Logic Log Management

Microsoft Defender for Endpoint Integration

Microsoft Defender for Office 365 Integration

Microsoft Defender for Endpoint GCC Integration

Microsoft Defender for Office 365 GCC Integration

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Release Date: May 1, 2025

New Features and Updates

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

High Impact Incidents card removed from Dashboards

The High Impact Incidents card for Private Intelligence has been removed from the list of available cards in the Customize Dashboards dialog box.

If the High Impact Incidents card is in an existing dashboard, a message is displayed informing you that the card is no longer available. Click Remove to remove the card from the dashboard.

Default Cards

Feature

Description

Help Topic

Incident correlation and analytics support for Cisco Secure Access integration

Security detections from Cisco Secure Access are now included in incident correlation and analytics in Cisco XDR.

Incidents

Cisco Secure Access Integration

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Filters added to Judgments tab on Intelligence page

You can now filter the list of judgments in the Judgments tab by expired judgments, private judgments created by you, disposition, observable type, severity, TLP, and source using the new Filters drawer.

The new Hide expired judgments check box has also been added above the judgments list in the Judgments tab. Check the check box to hide judgments that have an expired date and time from the judgments list.

Judgments

Judgment Detail page added to Judgments tab on the Intelligence page

You can now click the new View judgment detail button in the Judgment drawer to open the Judgment Detail page. From this page, you can view an overview of the judgment, linked indicators, and the judgment in JSON format.

Judgments

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Feature

Description

Help Topic
Help updates

The following updates have been made to the Help:

  • Updated the Detection Analytics and Correlation column from No to Yes for the Cisco Secure Access integration in the Cisco and Third-Party Integrations and Supported Capabilities topic.

  • The following integration topics have been added to the Cisco XDR help: Cohesity DataProtect Integration, Cybereason Integration, Darktrace /NETWORK Integration, Elastic Cloud Integration, ExtraHop Reveal(x) 360 Integration, Ivanti Neurons for MDM Integration, Jamf Pro Integration, and Jira Cloud Integration. The links to the topics have been added to the Cisco and Third-Party Integrations and Supported Capabilities topic.

Cisco and Third-Party Integrations and Supported Capabilities

Cisco Secure Access Integration

Cohesity DataProtect Integration

Cybereason Integration

Darktrace /NETWORK Integration

Elastic Cloud Integration

ExtraHop Reveal(x) 360 Integration

Ivanti Neurons for MDM Integration

Jamf Pro Integration

Jira Cloud Integration

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Release Date: April 16, 2025

New Features and Updates

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Help updates

The following updates have been made to the Help:

  • Updated the Secure Endpoint Configuration Insights section in the MITRE ATT&CK® Coverage Map topic to improve readability.

  • Updated the MITRE ATT&CK® Coverage Map topic with a new screenshot in the Secure Endpoint Policy Drawer section to align with the UI.

 MITRE ATT&CK® Coverage Map

Feature

Description

Help Topic

Help update

The following update has been made to the Help:

  • Updated screenshot in Incidents topic to align with the UI.

Incidents

Feature

Description

Help Topic
Help updates

The following updates have been made to the Help:

  • Updated the screenshots in the Investigate and Saved Investigations topics to align with the UI.

Investigate

Saved Investigations

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Request Approval task activity

Both the Create Approval Request and Wait For Event task activities, deprecated since release 2.36, have now been removed from Automation. Workflows using these obsoleted activities will fail. Please replace them with the Request Approval task activity.

Task Activities

Request Approval Task

Automation Remote

On May 31, 2025, Ubuntu 20.04 LTS will reach the end of its standard five-year support window. Your existing Remote configuration will continue to work. However, we recommend that you redeploy your Remote VM with our updated 6.40.0 OVA to maintain support using the newer Ubuntu 24.04 LTS. Refer to the instructions in the Automation Remote Help topic.

Automation Remote

Rate limits

To preserve system resources and ensure the integrity and performance of the platform, Automation rate limits have been updated. Refer to the Webhook API in the Workflows Help topic.

Workflows

Help update

The following additional update has been made to the Help:

  • Renamed the Cohesity Data Cloud target to Cohesity DataProtect in the Targets Created From Integrations Help topic.

Targets Created From Integrations

Feature

Description

Help Topic

Bulk action bar

A bulk action bar has been added to the Devices and Users page. Use this bar to update values and labels for one or more devices or users at the same time.

Devices

Users

Help updates

The following updates have been made to the Help:

  • Reorganized multiple sections in the Devices and Users topics for the bulk action bar update.

  • Updated the screenshots in the Devices topic to align with the UI.

Devices

Users

Feature

Description

Help Topic

Bulk action bar

A bulk action bar has been added to the Clients page. Use this bar to move multiple devices to a different deployment at the same time.

Clients

Zero Trust Access profile

You can now upload a Zero Trust Access profile to the Profiles page and select a Zero Trust Access profile when creating new deployments.

Profiles

Profile Configuration

Create Deployment

Deployments page

The Deployments page now has tabs to separate the Default Deployments and Custom Deployments.

Deployments

Help updates

The following updates have been made to the Help:

  • Updated the Move to Deployment section in the Clients topic.

  • Added Zero Trust Access to the Secure Client Profiles section of the Profile Configuration topic.

  • Added Zero Trust Access profile selection to the Create Deployment topic.

  • Updated the screenshots in the Clients, Deployments, and Create Deployment topics to align with the UI.

Clients

Profile Configuration

Create Deployment

Deployments

Feature

Description

Help Topic

API Clients page

The (View) icon has been removed from the Actions column on the API Clients page and you can now click the API client link in the list to view details of the API client.

API Clients

Feature

Description

Help Topic

Microsoft Defender for Office 365 GCC update

The Microsoft Defender for Office 365 GCC application in Microsoft Government Community Cloud (GCC) integration on the Integrations page now supports threat hunting and investigation capability. Use the Microsoft Defender for Office 365 GCC integration to search for security detections and associated indicators, reputations, and references, involving specified email addresses, URLs, email subjects, message IDs, IPs, file names, or SHA-256 hashes.

Cisco and Third-Party Integrations and Supported Capabilities

Help updates

The following updates have been made to the Help:

  • The Have I Been Pwned integration has been tested and certified by Cisco Quality Assurance labs and it has been added to the Cisco and Third-Party Integrations and Supported Capabilities topic as supported third-party integration in Cisco XDR.

  • The following integration topics have been added to the Cisco XDR help: Secure Firewall Integration, AbuseIPDB IPChecker Integration, AlienVault Open Threat Exchange Integration, MISP Integration, Check Point Quantium Smart-1 Cloud Integration, and Proofpoint Threat Protection Integration. The links to the topics have been added to the Cisco and Third-Party Integrations and Supported Capabilities topic.

Cisco and Third-Party Integrations and Supported Capabilities

Have I been Pwned Integration

Secure Firewall Integration

AbuseIPDB IP Checker Integration

AlienVault Open Threat Exchange Integration

MISP Integration

Check Point Quantum Smart-1 Cloud Integration

Proofpoint Threat Protection Integration

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Release Date: April 2, 2025

New Features and Updates

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Secure Endpoint Configuration Insights drawer update

To better reflect the endpoint data, the conviction mode percentages displayed in the Secure Endpoint Configuration Insights drawer on the MITRE ATT&CK® Coverage Map page have been updated to now display < 1% if the percentage is between 0% and 1%.

MITRE ATT&CK® Coverage Map

Additional Integrations update

The previous Sentinel One check box has been renamed to SentinelOne Singularity on the MITRE ATT&CK® Coverage Map page to align with the product name on the Integrations page.

MITRE ATT&CK® Coverage Map

Summary card removed from Dashboards

The Summary card for the Secure Endpoint integration has been removed from the list of available cards in the Customize Dashboards dialog box.

Integration Cards

Help updates

The following updates have been made to the Help:

  • Updated the Secure Endpoint Configuration Insights section in the MITRE ATT&CK® Coverage Map topic with a new note to specify the Secure Endpoint licensing tier required for the Orbital engine.

  • Added note to the Secure Endpoint Policy Drawer section in the MITRE ATT&CK® Coverage Map topic to ensure that the organization selected in Secure Endpoint must match the Secure Endpoint integration selected in the Secure Endpoint Configuration Insights drawer.

 MITRE ATT&CK® Coverage Map

Feature

Description

Help Topic

Incident report update

The time zone displayed within the content of the incident report on the Report page in incident detail is now based on the Date / Time Format set on the My Account page by the user viewing the report. For details on updating the time format, see My Account.

View events button removed from Attack Graph Node drawer

For performance enhancement purposes, the View events button has been removed from the Node drawer when you click a single node in the Attack Graph panel.

Overview

Help updates

The following updates have been made to the Help:

  • A note has been added to the Response and Assignment Rules topics to notify users that it may take up to a few minutes for a custom playbook to be assigned to an incident.

Response

Assignment Rules

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Suggestions based on best practices are now displayed and highlighted in the Workflow Editor

To help streamline the process and reduce the chance of errors, we're showing you available suggestions based on best practices and highlighting them in purple, during the process of creating or editing a workflow.

For instance, when creating a workflow for an incident response or playbook task, a pre-built block of actions is automatically added to the canvas. Review the suggestion and click either Dismiss or Accept:

Dismiss - Removes the block of actions and you can proceed with building the workflow.

Accept - Leaves the block of actions and you can proceed with building the workflow, including adding the activity to be performed for each observable, checking the success of that activity in the condition block, and setting the workflow result property in the condition branches to provide feedback about the execution.

For the HTTP Request activity, if you check the Continue workflow execution on failure check box in its properties, you see an inline suggestion to add an ensuing condition block and check whether the HTTP request succeeded or failed (using either the Succeeded boolean property or the Error Code to check for 404, 400, 200 and so on).

For more information on the variables used to provide information about the workflow execution, see the Workflow Result section in the Workflow Variables Help topic.

Additionally, when editing a workflow description or workflow variable description, a suggestion is displayed inline reminding you to make the description more informative and meaningful, such as including the purpose or how it should be used.

We've also added the Show inline suggestions option to the Settings drop-down menu in the Workflow Editor, so that you can enable or disable all suggestions.

Workflow Editor

Workflow Best Practices

Workflow Intent

Workflow Variables

HTTP Request Activity

Help updates

The following additional updates have been made to the Help:

  • Added steps to the setup procedure in the Automation Remote Help topic that account for what to do when a certificate expires.

  • Added new system objects for Cisco Security Cloud Control to the Atomic Actions Help topic.

  • Renamed the Cisco Defense Orchestrator target to Cisco Security Cloud Control in the Targets Created From Integrations Help topic.

Automation Remote

Atomic Actions

Targets Created From Integrations

Feature

Description

Help Topic

Device Details drawer updates

The following sources now provide additional characteristics in the Device Details drawer:

  • Cisco Duo: Trusted Endpoint

  • Microsoft Defender for Endpoint: Health Status, Risk Score, and Exposure Level

  • Orbital: Windows Security Center (Only Windows devices)

  • SentinelOne Singularity: Infected and Active Threats

Devices

Feature

Description

Help Topic

Bulk device move to deployment

We now support moving up to 500 devices at a time when moving devices to another deployment.

Clients

Feature

Description

Help Topic

My Account update

The Date / Time Format setting has been moved to the new Account Settings area on the My Account page.

My Account

Help updates

The following updates has been made to the Help:

  • Updated the API Clients topic with new View API Client and Delete API Client sections.

  • Updated the screenshot in the API Clients topic to align with the UI.

API Clients

Feature

Description

Help Topic

Cisco Defense Orchestrator integration renamed to Cisco Security Cloud Control

The Cisco Defense Orchestrator integration has been renamed to Cisco Security Cloud Control to align with the rebranding initiative for that product. The new Cisco Security Cloud Control integration name is updated on the Integrations page and all other areas that reference the integration.

Cisco and Third-Party Integrations and Supported Capabilities

Cisco Security Cloud Control Integration

Integration Cards

Help updates

The following updates have been made to the Help:

  • Added the Shodan Integration topic to the Cisco XDR help. The link to the topic has been added to the table in the Cisco and Third-Party Integrations and Supported Capabilities topic.

  • The IBM X-Force Exchange integration has been tested and certified by Cisco Quality Assurance labs and it has been added to the Cisco and Third-Party Integrations and Supported Capabilities topic as supported third-party integration in Cisco XDR.

Cisco and Third-Party Integrations and Supported Capabilities

Shodan Integration

IBM X-Force Exchange Integration

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Release Date: March 19, 2025

New Features and Updates

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Additional Integrations area added to MITRE ATT&CK® Coverage Map page

The Sentinel One check box has been added to the new Additional Integrations area on the MITRE ATT&CK® Coverage Map page. You can now view the tactics and techniques for SentinelOne Singularity if it is integrated in Cisco XDR. The Additional Integrations area is only displayed if you have SentinelOne Singularity integrated in Cisco XDR.

MITRE ATT&CK® Coverage Map

Updates to tactic and technique drawers on MITRE ATT&CK® Coverage Map page

The previous Additional Cisco coverage area in the tactic and technique drawers on the MITRE ATT&CK® Coverage Map page has been renamed to Additional coverage.

MITRE ATT&CK® Coverage Map

Card options menu update on Dashboards page

The icons have been removed from the Options menu when you click the (Ellipsis) icon in the upper right corner of a card on the Dashboards page. The previous Information, Issues, and Remove Tile menus have also been renamed to View API information, View issues, and Remove.

Dashboard and Card Settings

Customize Dashboards button renamed to Customize on Dashboards page

The previous Customize Dashboards button in the upper right corner of the Dashboards page has been renamed to Customize.

Dashboards

Configure Dashboards and Cards

Help update

The following update has been made to the Help:

  • Added a note to the Secure Endpoint Configuration Insights Drawer section on the discrepancy between the total number of endpoints displayed in Cisco XDR and Secure Endpoint.

MITRE ATT&CK® Coverage Map

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Judgments tab updates

The following updates have been made to the Judgments tab on the Intelligence page:

  • The Delete judgment button in the Judgment Details drawer has been renamed to Delete.

  • The disposition icons have been added to the observables displayed in the Judgments tab and the Judgment Details drawer.

  • The Type column has been removed from the judgments table.

Judgments

Feature

Description

Help Topic

Trigger Automation rules that match conditions when an incident's status changes

Now when an incident's status changes, the system will automatically check your Automation rules (Type = Incident Rule), and trigger those that match the specified conditions to execute their assigned workflows (Workflow Intent = Incident Response).

Now by default, a condition is added to all rules with the Incident Rule type, and the Status property is set to match all new incidents. You can edit the rule and adjust the condition or Status value as needed.

Incident Rule

Help update

The following update has been made to the Help:

  • Added new default targets for the Microsoft Government Community Cloud (GCC) integrations to the Targets Created From Integrations topic.

Targets Created From Integrations

Feature

Description

Help Topic

Device Details drawer updates

The following updates have been made to the Device Details drawer on the Devices page:

  • The Sources panel has been added and displays which sources provided data for this device.

  • The Users panel has been added and displays the users seen on this device.

  • The Characteristics panel has been added and displays whether the device is compromised, encrypted, jail broken, or supervised.

  • The Top Vulnerabilities panel has been renamed to Vulnerabilities.

Devices

Help updates

The following updates have been made to the Help:

  • Updated the View Summary of Device Details in Drawer section in the Devices topic to include the new panels.

  • Updated screenshots in the Devices topic to align with the UI.

Devices

Feature

Description

Help Topic

Cloud Management updates

A new version of cm-client(1.0.4.447) has been released with a fix related to certificate store usage on Windows to address a compatibility issue with Umbrella Encryption.

Help updates

The following updates have been made to the Help:

  • Added Network Visibility Module - XDR regional API endpoints to the Create Deployment topic.

Create Deployment

Feature

Description

Help Topic

Notifications update

The Email toggle is now enabled by default for Automation Approval and Incident Assignment notification types when you configure the notification settings in the Settings tab on the Notifications page.

Notifications

Feature

Description

Help Topic

New Microsoft Government Community Cloud (GCC) integration added to the Third-Party tab on the Integrations page in the North America region

The new Microsoft Government Community Cloud (GCC) integration is now available in the Third-Party tab on the Integrations page. This new integration is available in North America region only and it allows you to manage and maintain one set of Microsoft Government Community Cloud credentials across the following Microsoft product integrations between Cisco XDR and Microsoft products:

  • Microsoft Defender for Endpoint GCC - Microsoft Defender for Endpoint GCC is an Endpoint Detection and Response (EDR) offering. Microsoft Defender for Endpoint security events can generate and contribute to correlated incidents in Cisco XDR. In Cisco XDR, we enable Defender for Endpoint users to leverage it for incident detection functions, threat hunting and investigation features, rapid response actions to understand and defend against threats on the endpoint, and providing important device inventory context to help triage detected threats.

    Integration with Microsoft Defender for Endpoint GCC allows you to incorporate Microsoft Defender for Endpoint GCC detections into XDR's overall incident detection and correlation capabilities. Use the Defender for Endpoint GCC integration to search for security detections involving specific hostnames, machine IDs, IPs, and file hashes. Defender for Endpoint GCC can be used through Cisco XDR to isolate hosts from the network and block many types of observables, including file hashes, network resources (such as IP addresses, domains, and URLs), and certificates. This integration can be used to provide host information, including vulnerability information for use in triaging incidents and detections. It creates a target automatically in Automation for out-of-box workflows and it provides important device inventory context to help triage detected threats.

  • Microsoft Defender for Office 365 GCC - Microsoft Defender for Office 365 GCC is a cloud-based email filtering service that helps protect your organization against advanced threats delivered via email and collaboration tools, like phishing, business email compromise, and malware attacks. Integration with Microsoft Defender for Office GCC allows you to incorporate Microsoft Defender for Office 365 GCC detections into XDR's overall incident detection and correlation capabilities.

Cisco and Third-Party Integrations and Supported Capabilities

Help updates

The following updates have been made to the Help:

  • The Google Safe Browsing integration has been tested and certified by Cisco Quality Assurance labs and it has been added to the Cisco and Third-Party Integrations and Supported Capabilities topic as a supported third-party integration in Cisco XDR.

  • Added the Crowdstrike Falcon Integration and API Void Integration topics to the Cisco XDR help. The links to the topics have been added to the table in the Cisco and Third-Party Integrations and Supported Capabilities topic.

Cisco and Third-Party Integrations and Supported Capabilities

Google Safe Browsing Integration

Crowdstrike Falcon Integration

API Void Integration

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Release Date: March 5, 2025

New Features and Updates

No new customer-facing features or updates in this release.

Feature

Description

Help Topic
MITRE ATT&CK® Coverage Map Added a note regarding the data sources for the MITRE Map page. MITRE ATT&CK® Coverage Map
Dashboard and Card Settings Added content regarding the timeframe drop-down selectors for both the individual cards and the complete dashboard. Dashboard and Card Settings

Feature

Description

Help Topic

JSON area in Event drawer updates

The following updates have been made to the JSON area in the Event drawer on the Detection page:

  • Sighting data in JSON format is now displayed below the Copy and Download buttons.

  • Previous Export button has been renamed to Download.

Detection

Incident merge messages added to incident detail

If the incident correlation process identifies the same correlated events between multiple incidents, the newer incidents will automatically merge into the older incident and a message is displayed on the Incident Detail page for all incidents to inform the user of the incident merge activity. If the status of a newer incident is New, the status is automatically changed to Closed: Merged once it is merged into the older incident.

The merged incident activity is also added to the incident Worklog page.

Incident Detail

Worklog

Incident correlation and analytics support for Secure Network Analytics integration

The Secure Network Analytics integration now supports sending an expanded number of Secure Network Analytics alarm events to Cisco XDR for incident correlation and analytics using converged analytics.

Incidents

Secure Network Analytics Integration

Help update

Source has been removed from the Sort Incidents section in the Incidents topic.

Incidents

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Intelligence page updates

The Judgments, Indicators, Events, and Feeds pages under Intelligence in the navigation menu has been moved to the Intelligence page as tabs.

The Public and Private tabs on the previous Judgments, Indicators, and Events pages are now buttons in the upper right corner of the tabs.

Judgments

Indicators

Events

Feeds

Help updates

Various editorial updates have been made to all the topics in Intelligence, including consolidation of several topics.

Judgments

Indicators

Events

Feeds

Feature

Description

Help Topic

Notification of system event involving integration target

Now you'll receive a notification when there's a system event for an Automation target:

  • A new target has been created for an integration you've added.

  • An integration target you're using in one or more workflows has been updated.

  • An integration target you've configured is no longer valid because its corresponding integration has been deleted.

Go to the Targets page, and under the Actions table column, click Used by to display the objects such as workflows that use this target.

Notifications

Targets

Integrations

Help updates

The following updates have been made to the Help:

  • Added a detail about extended retention periods for workflow run data to the Runs topic.

  • Added more details about using variable references in workflow activities to the JSONPath Query and Execute Python Script topics.

  • Added a link to the Automation API Guide on DevNet to the Frequently Asked Questions topic.

Runs

JSONPath Query

Execute Python Script

Frequently Asked Questions

Feature

Description

Help Topic

Cisco Vulnerability Management integration support

The Cisco Vulnerability Management integration is now supported as a source for the Devices page.

Sources

Cisco Vulnerability Management Integration

Devices inventory table

The Devices inventory table now includes the Cisco Security Risk Score and Vulnerabilities identified by Cisco Vulnerability Management. You can now filter the table and create rules using the Minimum Cisco Security Risk Score.

Devices

Device Details page

The Device Details page has been updated to include tabs to access the Overview and Vulnerabilities pages. The Overview page displays everything Cisco XDR knows about a device, including device status, top five vulnerabilities, and which source provided which data. The Vulnerabilities page displays all of the vulnerabilities for the device as identified by Cisco Vulnerability Management.

Device Details

Device Overview

Vulnerabilities

Help updates

The following updates have been made to the Help:

  • Added Minimum Cisco Security Risk Score to the Filters section in the Devices topic.

  • Updated the View Summary of Device Details in Drawer section in the Devices topic to include a table with descriptions of the displayed fields.

  • Updated the View Summary of User Details in Drawer section in the Users topic to include a table with descriptions of the displayed fields.

  • Added the Device Overview and Vulnerabilities topics.

  • Added Cisco Vulnerability Management to the Sources topic.

  • Updated screenshots to align with the UI.

Devices

Users

Device Details

Device Overview

Vulnerabilities

Sources

Feature

Description

Help Topic

Deployments

The following updates have been made to Deployments:

  • The Create Deployment process has been updated to include a toggle to enable modules.

  • You can now click the (Add) icon to create or upload a new profile during the Create Deployment process. You can also click the (Refresh) icon to update the profile drop-down list.

  • UI enhancements were made to the Deployment Management page.

Create Deployment

Deployment Management

Help updates

The following updates have been made to the Help:

  • Added Secure Endpoint groups and policies note to the Move to Deployment section of the Clients topic.

  • Updated the Create Deployment topic for the new module enable toggles and create or upload profile options.

  • Updated screenshots to align with the UI.

Clients

Create Deployment

Feature

Description

Help Topic

Updates to Capabilities drop-down list on Integrations page

The following updates have been made to the Capabilities drop-down list on the Integrations page:

  • Added Automate and Data ingestion capabilities.

  • Renamed Device Insights to Assets and Dashboard Tiles to Dashboards.

Invite New Users update

You can now click Send Invite after configuring one user without clicking Add in the Invite New Users dialog box.

Users

Notifications update

The Automation System Event notification type now includes Automation target updates.

Notifications

Feature

Description

Help Topic

Endace integration added to the Third-Party tab on Integrations page

The new Endace integration has been added to the Third-Party tab on the Integrations page. Endace provides always-on hybrid cloud packet capture, delivering hard evidence to combat cybersecurity threats and proactively resolve network and IT problems. This integration provides a clickable Pivot-to-Vision URL to enrich investigations into IP observables. This provides click-through access to a pre-populated EndaceVision Investigation, which enables rapid search and drill down into the estate-wide packet level history relevant to the event under investigation.

Cisco and Third-Party Integrations and Supported Capabilities

Endace Integration

Crowdstrike integration update on the Integrations page

The Crowdstrike integration has been renamed to Crowdstrike Falcon.

Cisco and Third-Party Integrations and Supported Capabilities

Community authorship type added to Integrations page

The authorship type tag on the integration card now includes Community, if applicable.

LogRhythm and Exabeam integrations removed from Third-Party tab on Integrations page

The LogRhythm and Exabeam integrations have been removed from the Third-Party tab on the Integrations page. These integrations were with products that are no longer supported by Exabeam.

Help updates

The following updates have been made to the Help:

  • Updated tile to card in the Cisco and Third-Party Integrations and Supported Capabilities topic.

  • Updated the Asset Insights and Context column from No to Yes for the Cisco Vulnerability Management integration in the Cisco and Third-Party Integrations and Supported Capabilities topic.

  • Updated the Cisco Vulnerability Management Integration topic to include the new devices capability.

  • Added the Secure Malware Analytics Integration topic to the Cisco XDR help. The link to the topic has been added to the table in the Cisco and Third-Party Integrations and Supported Capabilities topic.

Cisco and Third-Party Integrations and Supported Capabilities

Cisco Vulnerability Management Integration

Secure Malware Analytics Integration

Feature

Description

Help Topic

Notifications update in ribbon

The Automation System Event notification type now includes Automation target updates.

Notifications

No new customer-facing features or updates in this release.

Release Date: February 19, 2025

New Features and Updates

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Secure Endpoint Configuration Insights

The new Secure Endpoint Configuration Insights feature was added to the MITRE ATT&CK® Coverage Map page. The Configuration Insights feature link is located underneath the Secure Endpoint check box.

This feature is accessed through a new drawer.  It tells users what their organization's detection coverage is, based on a given configuration for a particular Secure Endpoint engine.

MITRE Coverage Map

Incident Status by Assignment tile update

The Incident Status by Assignment tile has been updated to display the new incident statuses.

Default Cards

Help updates

The following updates have been made to Help:

  • Updated Default Tiles and Control Center topics with new screenshots to align with the UI.

  • Moved the Secure Cloud Analytics section from Integration Tiles topic to the Default Tiles topic.

  • Added section for new Secure Endpoint Configuration Insights feature.

Default Cards

Control Center

MITRE Coverage Map

Feature

Description

Help Topic

Playbook task limit update

You can now add up to 50 tasks for each response phase when you create or edit a playbook. The previous limit was 12 tasks.

Playbooks List

Download incident in JSON format

You can now download the incident and its related data in JSON format. Click the new (Ellipsis) icon in the Incidents list and choose Download JSON.

Incidents

Delete single incident

You can now click the new (Ellipsis) icon in the Incidents list and choose Delete incident to delete a single incident from the Incidents page.

Incidents

Select columns icon added to Incidents list

The new (Settings) icon has been added to the incidents table header, allowing you to customize the columns displayed in the table.

Incidents

Attack graph enhancements in incident detail

Enhancements have been made to the attack graph to improve the directionality of the arrows on the graph and the highlighting of grouped nodes.

Original sources displayed in incidents list

The Sources column in the incidents list now displays the original sources of the events contributing to incidents that are created by Cisco Secure Cloud Analytics (Cisco XDR Analytics). Previously, Cisco XDR Analytics was displayed as the source.

Incidents

Sources added to Incident drawer

The Sources panel has been added to the Incident drawer and it displays the sources or products that contributed events to the incident.

Incidents

Feature

Description

Help Topic

Relations graph enhancements in incident detail

Enhancements have been made to the relations graph to improve the directionality of the arrows on the graph and the highlighting of grouped nodes.

Feature

Description

Help Topic

Entities and Targets renamed to Observables and Assets on Events page

The Entities and Targets column headings in events table and headings in the Event Details drawer have been renamed to Observables and Assets to better align with the terminologies used in Cisco XDR.

Events

Help icons added to drawers

The (Help) icon has been added to the following drawers in Intelligence: judgments, indicators, events, and feeds. Click the (Help) icon in the lower left corner of a drawer to open the help topic for more information on the specific drawer.

Judgments

Indicators

Events

Feeds

Feature

Description

Help Topic

Request Approval task activity

Both the Create Approval Request and Wait For Event activities have been deprecated and superseded by the new Request Approval activity. The legacy activities will continue to work in existing workflows but are now read-only and not editable. Please update your workflows to use the streamlined Request Approval activity instead, so that they do not fail when the obsoleted activities are removed from Automation.

Task Activities

Tasks

Request Approval

Approval Task Rule

Help updates

The following updates have been made to the Help:

  • Added a note about the deprecation of this activity to the Create Approval Request topic.

  • Added a note about the deprecation of this activity to the Wait For Event topic.

  • Added a new topic for the Request Approval task activity.

Create Approval Request

Wait For Event

Request Approval

Feature

Description

Help Topic

Devices and Users inventory table

The Devices and Users inventory tables now use pagination to organize the assets shown in the table.

Devices

Users

Help updates

The following updates have been made to the Help:

  • Added the Scroll Devices section to the Devices topic.

  • Added the Scroll Users section to the Users topic.

  • Removed deprecated Cyber Vision and Meraki integrations from the Sources topic.

  • Updated the REST API Delta Sync column from No to Yes for the Cisco Secure Access integration in the Sources topic.

  • Updated screenshots in the Devices and Users topics to align with the UI.

Devices

Users

Sources

Feature

Description

Help Topic

Clients inventory table

The Clients inventory table now uses pagination to organize the devices shown in the table.

Clients

Help updates

The following updates have been made to the Help:

  • Added the Scroll Devices section to the Clients topic.

  • Updated screenshots in the Clients topic to align with the UI.

Clients

Feature

Description

Help Topic

Mark all as read icon updated in Notifications popup

The (Mark all as read) icon has been updated in the Notifications popup when you click the (Notifications) icon in the upper right corner on the Cisco XDR header.

Navigate Cisco XDR

Feature

Description

Help Topic

Cisco Secure DDoS Protection and Cisco Secure WAF and Bot Protection integrations added to the Cisco tab on Integrations page

The following new integrations have been added to the Cisco tab on the Integrations page:

  • Cisco Secure DDoS Protection - Cisco Secure DDoS Protection service, also known as Radware Cloud DDoS Protection, is based on the industry's most effective DDoS attack detection algorithms and mitigation technologies.

    In Cisco XDR, the Cisco Secure DDoS Protection integration allows users to investigate IP addresses to retrieve reputation data from the solution and check if any attacks have been detected involving those addresses.

  • Cisco Secure WAF and Bot Protection - At its core, Cisco Secure WAF and Bot Protection (also known as Radware WAF and Bot Protection) is based on Radware's ICSA Labs certified, market-leading web application firewall and offers full web security protection including OWASP Top-10 coverage, advanced attack protection and 0-day attack protection that automatically adapts your protections to evolving threats and protected assets. These capabilities are provided as a fully-managed offering.

    In Cisco XDR, the Cisco Secure WAF and Bot Protection integration allows users to investigate IP addresses and retrieve records of any attacks detected involving those IP addresses, and to take response actions by adding them to network or application lists.

Cisco and Third-Party Integrations and Supported Capabilities

Cisco Secure DDoS Protection

Cisco Secure WAF and Bot Protection

NetScout Omnis Cyber Intelligence added to the Third-Party tab on Integrations page

The NetScout Omnis Cyber Intelligence integration has been added to the Third-Party tab on the Integrations page. NETSCOUT Omnis Cyber Intelligence allows Omnis Cyber Intelligence users to promote Omnis Cyber Intelligence alerts into Cisco XDR’s incident queue and it also provides a Pivot menu lookup link to the NETSCOUT NetScout Omnis Cyber Intelligence UI to view more details about the selected observable.

Cisco and Third-Party Integrations and Supported Capabilities

NetScout Omnis Cyber Intelligence

Cyber Vision integration removed from Integrations page

The Cyber Vision integration has been removed from the Integrations page due to the End-of-Life announcement of Cisco Cyber Vision Cloud. For more information, see End-of-Sale and End-of-Life Announcement for the Cisco IoT Operations Center Licenses.

Cisco and Third-Party Integrations and Supported Capabilities

Meraki integration removed from Integrations page

The Meraki integration has been removed from the Integrations page and it has been replaced by the Cisco Meraki integration.

Cisco and Third-Party Integrations and Supported Capabilities

Cisco Meraki Integration

Feature

Description

Help Topic

Apply button added to incidents app in ribbon

The Apply button has been added to the Filters panel in the incidents app. You now need to click Apply after you select your filter criteria to apply your selections.

Incidents App

Help icon added to Pivot menu

The (Help) icon has been added to the Pivot menu. Click the (Help) icon in the lower left corner to open the help topic for more information on the Pivot menu.

Pivot Menu

No new customer-facing features or updates in this release.

Release Date: January 29, 2025

New Features and Updates

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

MITRE ATT&CK® Incidents tile update

To align with the MITRE ATT&CK® framework ordering, the MITRE ATT&CK® Incidents tile now displays all tactics, regardless whether they are reported by incidents over the selected timeframe. Previously, only tactics reported by incidents were displayed in the tile.

Default Cards

Feature

Description

Help Topic

Export updated to Download on Response page

The Export drop-down has been updated to Download in the Actions Taken area on the Response page.

 Response

Automation workflow actions added to Actions Taken area in attack graph node drawer

The Actions Taken area in the Node drawer for the attack graph can include actions executed by Automation workflows for the selected observable.

 Overview

Incident correlation and analytics support for SentinelOne integration

Security detections from SentinelOne are now included in incident correlation and analytics in Cisco XDR.

Incidents

SentinelOne Integration

Event drawer update on Detection page

The new JSON area has been added to the Event drawer on the Detection page. You can now copy or download the sighting data in JSON format for incidents that were created by Cisco Secure Cloud Analytics (Cisco XDR Analytics), depending on the data source.

Detection

Help update

Updated the Detection Table Column Descriptions section in the Detection topic to align with the UI.

Detection

Feature

Description

Help Topic

Help update

Updated screenshot in Events topic to align with the UI.

Events

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Improved health checks

Improved health checks have been added to ensure that Automation rules are executing as expected. Users are notified if rate limits are exceeded.

Automation Rules

Feature

Description

Help Topic

Cisco Secure Access integration support

The Cisco Secure Access integration is now supported as source for the Devices page.

Sources

Cisco Secure Access Integration

Help updates

The following updates have been made to the Help:

  • Added Cisco Secure Access to the Sources topic.

Sources

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Splunk Cloud integration update

The Splunk Cloud integration now enables querying of security detections across Network Traffic, Malware, Data Loss Prevention, and Intrusion Detection CIM-compliant data for observables, such as IP addresses, hostnames, file names, file paths, MD5 hashes, and SHA-256 hashes to take advantage of these new capabilities.

For details on how to configure the Splunk Cloud integration, refer to the Integration Guide area when adding the Splunk Cloud integration. If you have an existing Splunk Cloud integration configured, you must edit the existing Splunk Cloud integration and configure the new settings.

Splunk Cloud Integration

Help updates

The following updates have been made to Help:

  • Updated the Asset Insights and Context column from No to Yes for the Cisco Secure Access integration in the Cisco and Third-Party Integrations and Supported Capabilities topic.

  • Updated the Detection Analytics and Correlation column from No to Yes for the SentinelOne integration in the Cisco and Third-Party Integrations and Supported Capabilities topic.

  • Updated the Threat Hunting and Investigation column from No to Yes for the Splunk Cloud integration in the Cisco and Third-Party Integrations and Supported Capabilities topic.

  • Added the following topics to the Cisco XDR help: Cisco Secure Access Integration and SentinelOne Integration. The links to the topics have been added to the table in the Cisco and Third-Party Integrations and Supported Capabilities topic.

Cisco and Third-Party Integrations and Supported Capabilities

Cisco Secure Access Integration

SentinelOne Integration

Splunk Cloud Integration

 

 

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Release Date: January 15, 2025

New Features and Updates

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Team Mean Time Summary tile and User Mean Time Summary tile updates

Updated the descriptions for the Team Mean Time Summary tile and the User Mean Time Summary tile due to the new incident statuses.

 Default Cards

Help updates

Updated screenshots in the Default Tiles and Dashboards topics to align with the UI.

Default Cards

Dashboards

Feature

Description

Help Topic
New incident statuses

New incident statuses are now available for all incidents. The new statuses align with industry standards and they provide additional details on the nature of the incident. For a list of the available incident statuses, see Available Statuses.

For compatibility purposes, the previous incident statuses (Open, Closed, Incident Reported, Containment Achieved, Stalled, Rejected, and Restoration Achieved) are available in the Filters drawer only. You cannot set an incident to one of these statuses.

Incidents

Response

Incident Detail

Hide Closed Incidents

The previous Include Closed Incidents toggle is now a Hide Closed Incidents check box on the Incidents page and in the Filters drawer. You can uncheck the Hide Closed Incidents check box to display closed incidents in the Incidents list.

Incidents

Clear button added to Filters drawer

You can now click the new Clear button to remove your selections in the Status and Assignment drop-down lists in the Filters drawer.

 Incidents

Created date update

The Created date in the incidents list and incident drawer now displays the date and time the incident was created, instead of the relative amount of time from the date and time the incident was created.

Incidents

No new customer-facing features or updates in this release.

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

New variables for observable state

Two new variables have been added to enable a content author to set the state of observables in their incident response workflows that are intended for use by playbook tasks. In the Set Variables activity within a For Each loop, open the variable browser, search or navigate to choose Result Message (string) and Succeeded (true or false), and enter their values.

Set Variables

For Each Loop

Set workflow result variables

When it comes to defining variables within a workflow, you can use the Workflow Result variables to provide information about the workflow’s execution. In particular, the Workflow Result Code variable is an auto-populated string - the system derives the value based on the observable state or workflow result - that indicates the outcome of the workflow.

Now you also have the option to override and explicitly set the code by choosing a value from the list as needed. If you choose Completed Successfully to override Partially Completed in a completed workflow where at least one of its observable tasks did not succeed, the task workflow shows Complete in the incident playbook's Response tab and the Workflow Result variable's value is shown in the corresponding Worklog tab. View the workflow’s run details and you can see the values of both Workflow Result variables in the Output section.

Workflow Variables

Help update

The following update has been made to the Help:

  • Added a link to the Automation API Guide to the About Automation topic.

About Automation

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Help updates

Fixed an incorrect APJC regional API endpoint in the Create Deployment topic.

Create Deployment

No new customer-facing features or updates in this release.

Feature

Description

Help Topic

Help updates

Added the following topics to the Cisco XDR help: Orbital Integration, Zendesk Integration, Cisco Defense Orchestrator Integration, Cisco Duo Integration, Secure Email Appliance Integration, Secure Email and Web Manager Integration, and Secure Web Appliance Integration. The links to the topics have been added to the table in the Cisco and Third-Party Integrations and Supported Capabilities topic.

Cisco and Third-Party Integrations and Supported Capabilities

Orbital Integration

Zendesk Integration

Cisco Defense Orchestrator Integration

Cisco Duo Integration

Secure Email Appliance Integration

Secure Email and Web Manager Integration

Secure Web Appliance Integration

 

Feature

Description

Help Topic

Help updates

The Change Incident Status and Filter Incidents sections have been updated in the Incidents App topic due to the new incident statuses.

Incidents App

No new customer-facing features or updates in this release.