Previous Release Notes for Cisco XDR in 2026

Release Date: March 4, 2026

New Features and Updates

Note: Only sections with new customer-facing features or updates in this release are listed below.

Feature

Description

Help Topic

Filter by data type added to Observables drawer

You can now filter the list of observables by data type using the new Type drop-down list at the top of the Observables drawer in the incident detail.

The total number of searched or filtered results is now displayed to the right of the Type drop-down list.

Overview

Evidence tab update

When you click the evidence name in the Evidence tab, it opens the evidence details directly in the XDR Forensics UI. You no longer need to click the View Investigation Hub icon on the XDR Forensics page before it opens the evidence details in the XDR Forensics UI.

Search Results added to assign incident popup

When you assign users to an incident, a list of all the users are listed in the new Search Results area. You can narrow the list by entering a user in the Search field.

The current user is now displayed as a suggested assignee under the Search field if the incident is assigned to other users.

Incidents

Incident Detail

Feature

Description

Help Topic
AI run summary You can now view an AI-generated summary of workflow runs. View, Filter, and Search for Runs
Help updates Updated documentation for reorganized Automation pages and navigation. About Automation

Feature

Description

Help Topic

Help updates

Added a note that Cisco Identity Intelligence provides a maximum of 10 groups for a user to the Users topic.

Users

Feature

Description

Help Topic

Help updates

Updated the steps in the Configure a GCP Subnet to Generate VPC Flow Logs section of the Google Cloud Platform Integration topic.

Google Cloud Platform Integration

Feature

Description

Help Topic

Improved Endpoint Name Change Handling to Enhance System Performance

In certain environments, endpoint name change events could previously be triggered due to misconfigured deployments, particularly in cases involving golden image deployments that did not follow the provided deployment guidelines. This scenario could result in a high volume of asset name changes, generating excessive audit logs and triggering updates on investigations. The combination of frequent asset name updates, audit log generation, and related notifications created significant system load, leading to performance degradation.

In addition, audit log generation and event-based notifications related to endpoint name changes have been disabled, as their operational impact outweighed their functional value.

To improve overall system performance and protect core AIR functionality, endpoint name change handling on investigations and the related audit log generation have been removed, as their operational impact outweighed their functional value. Additionally, the warning status indicating a high number of endpoint name changes has been removed, as it relied on audit log data.

Improved Auto-Scaling and Recovery Stability for SaaS Tenants

Some SaaS tenants previously experienced extended auto-scaling and recovery durations due to a potential issue related to database connection handling during application startup.

Enhancements have been implemented to improve database connection management during startup, resulting in more stable auto-scaling behavior and reduced recovery times.

Enhanced Export Service Performance for Large Data Sets

The export service used across multiple features (including Audit Log exports and Investigation Hub Evidence/Finding exports) has been enhanced to better handle large data sets.

These improvements increase reliability, stability, and performance when exporting high-volume data.

Release Date: February 18, 2026

New Features and Updates

Note: Only sections with new customer-facing features or updates in this release are listed below.

Feature

Description

Help Topic

Record screen added to Help menu

The new Record screen option is now available from a drop-down list access by clicking the (Help) icon in the Cisco XDR header. It allows you to record on-screen activities to demonstrate issues visually during case submission. These recordings help TAC engineers to quickly understand the problem context, leading to more efficient troubleshooting.

Navigate Cisco XDR

Feature

Description

Help Topic

New statuses added to the Evidence tab

The following new statuses have been added to the Evidence tab in the incident detail:

  • Partially complete - Parts of the forensic acquisition did not complete successfully due to insufficient disk space on the machine to complete the acquisition or drone failures. Hover over the status tag to display the reason.

  • Expired - The forensic acquisition or remote shell session has timed out due to a lack of response from the endpoint for 7 days or more.

  • Canceled - The forensic acquisition or remote shell session has been canceled in XDR Forensics.

Evidence

Resize table column width on the Incidents page

You can now resize the column width in the incident table on the Incidents page.

Incidents

Feature

Description

Help Topic

Related incidents update on Detection Findings page

The Not available status is now displayed in the Related incidents column on the Detection Findings page if the related incidents cannot be determined due to the security event being generated prior to the related incidents feature support (September 25th, 2025).

The previous em dash (—) status now displays None in the Related incidents column.

Detection Findings

Feature

Description

Help Topic

Copy and Download buttons added to Intelligence page

The new Copy and Download buttons have been added to the JSON panel in the Judgments, Indicators, Events, and Feeds tabs on the Intelligence page.

Judgments

Indicators

Events

Feeds

Help update

Updated screenshots in the Judgments topic to align with the UI.

Judgments

Feature

Description

Help Topic
Run monitoring You can view the duration of runs in the new Run time column. You can toggle the display of sub-workflows and atomics by filling a checkbox on the Runs page. The Owner column has been removed. Runs can no longer be deleted from the Runs page.

Run Monitoring

Help updates Added new OVA information to the Configure and Deploy the Virtual Appliance section in the Remote Setup and Deployment topic. Remote Setup and Deployment

Feature

Description

Help Topic

Help update

Added the int-check-in-ignored event type to the Device Events topic.

Device Events

Feature

Description

Help Topic

AppOmni SaaS Security integration added to the Integrations page

The new AppOmni SaaS Security integration has been added to the Third-Party tab on the Integrations page. AppOmni enriches Cisco XDR investigations with SaaS identity, access, and threat context. Search AppOmni directly from Cisco XDR to understand who a user is, what SaaS applications they can access, and their level of access, including elevated or administrative privileges.

Cisco and Third-Party Integrations and Supported Capabilities

AppOmni SaaS Security Integration

Talos Intelligence integration update

The Talos Intelligence integration now uses Talos URS API instead of Talos SDS API.

Feature

Description

Help Topic

Historical data update in Pivot menu

The Historical button at the top of the Pivot menu has been renamed to Incident time or Investigation time, depending on whether the Pivot menu is opened in an incident or an investigation.

Pivot Menu

Overview

Assets and Observables

Help update

Added a note to the Investigate Observable section in the Pivot Menu topic to clarify that manual investigations may not always align with incident observables.

Pivot Menu

Feature

Description

Help Topic

Smarter evidence analyzer behavior for missing artifacts

DRONE analyzer logic now skips analysis tasks when expected artifacts are absent from collected data. This prevents confusing error messages and makes error logs clearer and more accurate for investigation teams.

DRONE

Investigation Hub asset filter crashes with large cases

The Asset drop-down list in Investigation Hub could become unresponsive in investigations with thousands of assets. The filter now supports virtualized loading for smoother performance in enterprise-scale environments.

Investigation Hub

Asset registration failure on identical cloud instance IDs

In environments where multiple assets share the same cloud infrastructure ID, responder registration could fail. XDR Forensics now handles additional identifiers to differentiate assets reliably in these cases.

XDR Forensics MITRE ATT&CK Analyzer

MITRE ATT&CK Analyzer is now at version 12.2.0, which introduces expanded and enhanced detection capabilities across multiple threat categories, including comprehensive rule coverage for advanced malware families.

MITRE ATT&CK Analyzer changelog

Release Date: February 4, 2026

New Features and Updates

Note: Only sections with new customer-facing features or updates in this release are listed below.

Feature

Description

Help Topic

Help update

Updated the Sync and Highlight Data section in the Investigation Results topic to remove events highlight.

Investigation Results

Feature

Description

Help Topic

Meraki adapter

Meraki adapter was superseded by Cisco Meraki integration in release 2.29. The current release removes the obsolete adapter.

About Automation

Help updates

The following updates have been made to the Help:

  • Added information about expiry of existing webhooks.

  • Removed obsolete Meraki adapter.

  • Added new OVA information to the Configure and Deploy the Virtual Appliance section in the Remote Setup and Deployment topic.

Webhooks

Remote Setup and Deployment

Feature

Description

Help Topic

Rules for users

You can now create rules that will assign labels and values to users automatically. On the Users page, click Rules to open the drawer to create new rules from search or from scratch.

Users

Cisco Meraki Network Devices support

Meraki Network Devices are now supported on the Devices page, and the Sources page will display a separate cards for Meraki Network Devices. Existing customers do not need to update their Cisco Meraki integration, as the integration module will automatically ingest Meraki Network Devices data.

Devices

Sources

Device type chart

The device type chart on the Devices page now includes a check box for Other devices, which includes network devices and IoT devices. The Other check box will automatically filter the table for those device types. To filter by a specific type of network device, for example, Firewall devices, use the Type drop-down menu in the Filters drawer.

Devices

Help updates

The following updates have been made to the Help:

  • Added the Rules Drawer section to the Users topic.

  • Updated the Sources topic for Cisco Meraki Network Devices support.

  • Updated screenshots in the Devices and Users topics to align with the UI.

Users

Sources

Devices

Feature

Description

Help Topic

Help updates

The following updates have been made to the Help:

  • Added a note to the Download Installer and Deploy Secure Client section of the Deployment Management topic describing ensuring endpoints have a unique UUID assigned when installing Cloud Management on a virtual machine.

  • Updated a note in the Download Installer and Deploy Secure Client section of the Deployment Management topic to clarify it can take up to 24 hours for devices to appear on the Clients page after initial deployment.

  • Added a note to the Create Deployment topic indicating that Secure Client update traffic must be excluded from Umbrella SSL Decryption.

Deployment Management

Create Deployment

Feature

Description

Help Topic

Help updates

Updated the View Git repositories and Used by information and View remotes list and Used by information rows from Yes to No for the Incident Responder and Security Analyst columns in the Roles topic.

Roles

Release Date: January 21, 2026

New Features and Updates

Note: Only sections with new customer-facing features or updates in this release are listed below.

Feature

Description

Help Topic
Help update Updated the onboarding information in the Sign In to Cisco XDR section. Getting Started

Feature

Description

Help Topic
Help icon updates

The new Cisco support options are now available from a drop-down list accessed by clicking the (Help) icon in the Cisco XDR header. From this menu, you can open a support case with Cisco Technical Support (TAC), upload files to an existing support case, or view your current support cases. You can also choose Open onboarding checklist to launch a personalized onboarding experience. This opens an onboarding checklist with a series of guided steps and videos designed to help you get started quickly with Cisco XDR.

Previously, you accessed the Cisco XDR online help by clicking the (Help) icon. You now need to choose Help from the drop-down menu to access the help topics to learn more about the specific Cisco XDR page.

Navigate Cisco XDR

Feature

Description

Help Topic

Assets without XDR Forensics enabled

The new Assets without XDR Forensics enabled panel has been added to the Acquire forensic evidence and Launch remote shell drawers in the Evidence tab. Click the (Expand) icon to display a list of assets that are a part of a deployment that does not include the XDR Forensics module. To resolve this, move these devices to a deployment that includes the XDR Forensics module in Client Management.

Evidence

Feature

Description

Help Topic

Maximum number of security events displayed on Detection findings page

The detection findings table now displays the first 10,000 security events only on the Detection findings page.

Detection Findings

Feature

Description

Help Topic

Help updates

The following updates have been made to the Help:

  • Added new OVA file information to the Configure and Deploy the Virtual Appliance section in the Remote Setup and Deployment topic.

Remote Setup and Deployment

Feature

Description

Help Topic

User management in Secure Cloud Control

The ability to invite users, change user status, and manage user permissions will be moved from the Manage Users page in Cisco XDR to the Administrator Access page in Security Cloud Control. For more information on inviting users and managing permissions in Security Cloud Control, see Managing Role-Based Access Control in the Cisco Security Cloud Control Administration Guide.

The Manage Users page will become view-only, displaying all users in your organization along with their assigned roles and current statuses.

This change goes into effect on January 28, 2026. If you are an existing Cisco XDR user, your account will be automatically migrated to Security Cloud Control on January 28th, 2026. Your tenant will need to be attached to your Security Cloud Control Enterprise to leverage this functionality. No additional action is required by your organization.

Users

Roles

Getting Started

Help update

Updated the My Account topic with a new screenshot to align with the UI.

My Account

Feature

Description

Help Topic

Help update

Updated the Minimum Cisco XDR Licensing Tier Requirement column for the StealthMole integration in the Cisco and Third-Party Integrations and Supported Capabilities topic from Advantage to Essential.

Cisco and Third-Party Integrations and Supported Capabilities

Feature

Description

Help Topic
Orbital app updates

The parameter type and the Get parameters from custom script link have been added to the Custom Script area in the Orbital app.

Orbital App

Feature

Description

Help Topic

Assets menu

The Assets menu in XDR Forensics has been separated into Devices, Disk Images, and Cloud Assets. This streamlined layout enables you to locate relevant evidence sources, assess responder status, and initiate investigation workflows with improved clarity.

XDR Forensics