Previous Release Notes for Cisco XDR in 2026

Response tab update in incident detail

The Cisco Managed tasks that are automatically generated by AI based on the observables for the incident have been removed from the list of tasks in the Identification phase in the Response tab. You can view AI-generated recommended tasks in the Recommendations panel on the incident detail with AI analysis page, if applicable.

Incident detail with AI analysis updates

The following updates have been made to the incident detail with AI analysis page:

• The AI-generated recommended tasks (Device Analysis, User Analysis, and Detection Analysis) have been added to the Identification phase in the Recommendations panel and the Response tab. These tasks are based on the analysis of the detection findings, logs, and observables in the incident.

• The (Reset timeline) icon has been removed from the Summary panel. You can use the Attack Graph breadcrumb in the upper area of the right pane to reset the view to the attack graph.

• The previous View details icon has been replaced with the View details link in the Analysis panel.

• You can now view the number of recommended tasks out of the total number of tasks at the bottom of the Recommendations panel. Click the View all tasks in Response tab link to view all the tasks in the Response tab.

• The View more or View less links have been added to display or hide additional assets in the Analysis panel.

Action count badge added to Actions Taken in node drawer

If there are more than 50 actions taken, all identical actions will now be aggregated into one action with the action count displayed as a badge to the left of the source in the Actions Taken area of the node drawer.

Account Keys

For security reasons, HTTP targets with remote no longer support Cisco XDR Token as an account key. Pass an authentication header instead.

Automation Remote

Virtual appliances based on v2.x OVAs are deprecated. The state of connected v2.x Remotes are not impacted, but users should replace their virtual appliances with v3.0 or newer OVAs for continued support.

You can now set the validity period of certificates up to 2 years on remotes based on v3.0 or newer OVAs.

Unified device status fields

Fields on the Devices page have been updated to improve filtering and provide an easier way to view the different properties for devices. We've merged the data from previous fields and the following fields have been added:

• Management status - replaces the Managed and Supervised fields.

• Security status - replaces the Compromised, Tampered, Jail Broken, Isolated, and Has faults fields.

• Disk encryption - replaces the Encrypted field.

• Firewall status

• Antivirus details

• Device health status

• Compliance status - replaces the Compliant field.

Rules that included the deprecated fields will be disabled until you update the Rule Criteria. Click Rules on the Devices page to view which rules need to be updated.

Saved filters containing deprecated fields have been automatically updated to remove those fields. To include the updated status fields, you will need to create and save new filters.

Security and Compliance card

The Security Products card on the Device Details page has been expanded into the new Security and Compliance card. This card provides the previous fields for Firewall status and Disk encryption, while providing new fields for Device health, Antivirus details, and Compliance status if available.

Secure Endpoint source card

The Cisco Secure Endpoint (AMP) card on the Device Details page has been merged into the Secure Endpoint card in the Seen in Sources section. To see the AV definitions status, Device isolation status, Orbital enablement, and other device data provided by Secure Endpoint, click View full details on the source card.

New user fields

The following fields have been added to the Users page to enable you to evaluate user behavior, risk levels, and take more effective action during incident investigations:

• Level of trust

• Last updated level of trust

• Status

User details

The User Details page has been reorganized to display the Security and User Details sections. The Security section includes the user's trust level and additional information that was used to determine the user's Trust Level, and the user's multi-factor authentication status and a list of all the identity events from Identity Intelligence. The User Details section includes the identity details, used devices, activity details, and organization details for the user.

Enhanced remote shell session visibility

When reviewing historical remote shell (interACT) sessions, the session header now shows the specific task name, enabling analysts to quickly identify and navigate between concurrent live-response sessions. This improves investigation context and analyst efficiency.

Filter by evidence type added to Evidence tab in incident detail

You can now filter the evidence list by evidence type using the new Evidence type drop-down list in the Evidence tab.

Getting Started Page

View a Getting Started page the first time you navigate to Automate > Workspace.

Custom security event type

Added a new Identity security event type to Custom Security Event Workflow.

Help updates

Updated Automate documentation with current procedure to create workflows.

Commvault Cloud integration added to Integrations page

The new Commvault Cloud integration has been added to the Third-Party tab on the Integrations page. Integrating Commvault Cloud with Cisco XDR enhances network and data security and inter-operability. Organizations can initiate Commvault protection for VM workloads directly from the Cisco XDR platform, through the Automate functionality, preserving the VM’s current state early in incident response. SOC teams can also create Cleanroom Recovery Groups within Commvault, enabling impacted VMs to be restored into an isolated environment for investigation and, when appropriate, recovered back to production after the incident.

User role updates

XDR Forensics Org Admins have been promoted to the Global Admin user role. This will enable admins to have full control over managing 118 specific privileges, allowing the creation of highly customized user roles. This granular access control ensures that each user or group has permissions tailored to their specific needs, such as handling evidence acquisition, interACT sessions, or audit log management.

New incident detail view with AI analysis

You can now click Launch New Incident View in the upper right corner of the incident detail to display the new AI-powered incident detail view.

This view presents an overview of the AI analysis and evaluation of the incident, indicating whether it is likely a true or false positive threat. The AI assesses incidents in a manner similar to a human analyst, systematically forming and validating hypotheses. It analyzes individual detections, observables, indicators, and their combination, to identify a threat narrative consistent with the incident data. The final classification, along with reasoning, supporting evidence, and recommended response steps, is displayed in the incident detail view.

Note: The new incident detail view is currently in Beta and subject to change.

Activities

Added toggle to fill empty fields with default values in the Parse JSON activity.

Endpoint Visibility Module

The Endpoint Visibility Module is available for Windows amd64 and macOS deployments. The Endpoint Visibility Module is a critical component for organizations striving for seamless endpoint visibility and advanced threat detection within Cisco XDR. Its comprehensive endpoint telemetry complements Cisco and third-party EDR deployments, adding essential context to threat detections.

Endpoint Data Loss Prevention

The Endpoint Data Loss Prevention module is now available for Windows amd64 deployments. Cisco Endpoint Data Loss Prevention (Endpoint DLP) enables you to protect sensitive data on endpoints by controlling what data is transferred to external devices. It extends your organization’s data protection policies to the endpoint.

You can also upload a new Endpoint Data Loss Prevention profile to the Profiles page and select a Endpoint Data Loss Prevention profile when creating new deployments.

Advanced Time Display and Copy Options

The DateTime component within XDR Forensics now includes a contextual popover to view and copy timestamps in multiple formats including UTC, ISO, local, and relative time. This enhancement streamlines correlation activities across multiple evidence sources and logs during complex investigations.

Filter by data type added to Observables drawer

You can now filter the list of observables by data type using the new Type drop-down list at the top of the Observables drawer in the incident detail.

The total number of searched or filtered results is now displayed to the right of the Type drop-down list.

Evidence tab update

When you click the evidence name in the Evidence tab, it opens the evidence details directly in the XDR Forensics UI. You no longer need to click the View Investigation Hub icon on the XDR Forensics page before it opens the evidence details in the XDR Forensics UI.

Improved Endpoint Name Change Handling to Enhance System Performance

In certain environments, endpoint name change events could previously be triggered due to misconfigured deployments, particularly in cases involving golden image deployments that did not follow the provided deployment guidelines. This scenario could result in a high volume of asset name changes, generating excessive audit logs and triggering updates on investigations. The combination of frequent asset name updates, audit log generation, and related notifications created significant system load, leading to performance degradation.

In addition, audit log generation and event-based notifications related to endpoint name changes have been disabled, as their operational impact outweighed their functional value.

To improve overall system performance and protect core AIR functionality, endpoint name change handling on investigations and the related audit log generation have been removed, as their operational impact outweighed their functional value. Additionally, the warning status indicating a high number of endpoint name changes has been removed, as it relied on audit log data.

Improved Auto-Scaling and Recovery Stability for SaaS Tenants

Some SaaS tenants previously experienced extended auto-scaling and recovery durations due to a potential issue related to database connection handling during application startup.

Enhancements have been implemented to improve database connection management during startup, resulting in more stable auto-scaling behavior and reduced recovery times.

New statuses added to the Evidence tab

The following new statuses have been added to the Evidence tab in the incident detail:

• Partially complete - Parts of the forensic acquisition did not complete successfully due to insufficient disk space on the machine to complete the acquisition or drone failures. Hover over the status tag to display the reason.

• Expired - The forensic acquisition or remote shell session has timed out due to a lack of response from the endpoint for 7 days or more.

• Canceled - The forensic acquisition or remote shell session has been canceled in XDR Forensics.

Copy and Download buttons added to Intelligence page

The new Copy and Download buttons have been added to the JSON panel in the Judgments, Indicators, Events, and Feeds tabs on the Intelligence page.

AppOmni SaaS Security integration added to the Integrations page

The new AppOmni SaaS Security integration has been added to the Third-Party tab on the Integrations page. AppOmni enriches Cisco XDR investigations with SaaS identity, access, and threat context. Search AppOmni directly from Cisco XDR to understand who a user is, what SaaS applications they can access, and their level of access, including elevated or administrative privileges.

Historical data update in Pivot menu

The Historical button at the top of the Pivot menu has been renamed to Incident time or Investigation time, depending on whether the Pivot menu is opened in an incident or an investigation.

Smarter evidence analyzer behavior for missing artifacts

DRONE analyzer logic now skips analysis tasks when expected artifacts are absent from collected data. This prevents confusing error messages and makes error logs clearer and more accurate for investigation teams.

Investigation Hub asset filter crashes with large cases

The Asset drop-down list in Investigation Hub could become unresponsive in investigations with thousands of assets. The filter now supports virtualized loading for smoother performance in enterprise-scale environments.

Asset registration failure on identical cloud instance IDs

In environments where multiple assets share the same cloud infrastructure ID, responder registration could fail. XDR Forensics now handles additional identifiers to differentiate assets reliably in these cases.

Meraki adapter

Meraki adapter was superseded by Cisco Meraki integration in release 2.29. The current release removes the obsolete adapter.

Rules for users

You can now create rules that will assign labels and values to users automatically. On the Users page, click Rules to open the drawer to create new rules from search or from scratch.

Cisco Meraki Network Devices support

Meraki Network Devices are now supported on the Devices page, and the Sources page will display a separate cards for Meraki Network Devices. Existing customers do not need to update their Cisco Meraki integration, as the integration module will automatically ingest Meraki Network Devices data.

Device type chart

The device type chart on the Devices page now includes a check box for Other devices, which includes network devices and IoT devices. The Other check box will automatically filter the table for those device types. To filter by a specific type of network device, for example, Firewall devices, use the Type drop-down menu in the Filters drawer.

User management in Secure Cloud Control

The ability to invite users, change user status, and manage user permissions will be moved from the Manage Users page in Cisco XDR to the Administrator Access page in Security Cloud Control. For more information on inviting users and managing permissions in Security Cloud Control, see Managing Role-Based Access Control in the Cisco Security Cloud Control Administration Guide.

The Manage Users page will become view-only, displaying all users in your organization along with their assigned roles and current statuses.

This change goes into effect on January 28, 2026. If you are an existing Cisco XDR user, your account will be automatically migrated to Security Cloud Control on January 28th, 2026. Your tenant will need to be attached to your Security Cloud Control Enterprise to leverage this functionality. No additional action is required by your organization.