Release Notes for Cisco XDR 2.64

Control Center

Feature	Description	Help Topic
Help update	Updated the Default Cards topic to remove the Detection Ingest Status card from the Secure Cloud Analytics section. The card has been deprecated in the Customize Dashboards dialog box. You can view the last created time and the last verified time for each integrated detection source in the Detection findings tab on the Investigate page.	Default Cards

Incidents

Feature	Description	Help Topic
Incident detail with AI analysis updates	The following updates have been made to the incident detail with AI analysis page: The Events Timeline panel has been updated to display events based on the incident investigation and analysis by agentic AI. The attack graph in the right pane reflects the updated events timeline, providing a detailed view of the events. The events and attack graph are not available for incidents that were created prior to April 29th, 2026. The Incident response progress bar has been added to the top of the Recommendations panel. It indicates the number of tasks with a Complete status out of the total number of tasks. The priority tags in the Recommendations panel have been added to the Response tab. The AI-generated tasks are completed as part of the AI analysis and they are not displayed in the Recommendations panel. You can view the details of the tasks in the Response tab.	Incident Detail with AI Analysis
Requested by updates in Evidence tab	The Requested by column in the Evidence tab now displays the name of the user who requested the acquisition or remote shell session. It previously displayed the email of the user. You can also filter the evidence list by the name of the user who requested the acquisition or remote shell session using the Requested by drop-down list at the top of the Evidence tab.	Evidence
Incident correlation	Incident analysis and correlation now includes Cisco Meraki AMP and IDS engine events. To view incidents with Meraki data, go to Incidents, select an incident with Cisco Meraki as a source, and open the Incident Detail page. On the Detection tab, you will see events from Cisco Meraki.	Incidents
Help updates	Updated the links to the XDR Forensics Knowledge Base in the Evidence topic.	Evidence

Investigate

Feature	Description	Help Topic
Help updates	The following updates have been made to the Help: Updated the Detection Findings topic to include Cisco Meraki in the list of supported products that generate security events if integrated in Cisco XDR. Updated the Investigate topic with new screenshots to align with the UI.	Detection Findings Investigate

Feature

Description

Help Topic

Help updates

The following updates have been made to the Help:

Updated the Detection Findings topic to include Cisco Meraki in the list of supported products that generate security events if integrated in Cisco XDR.
Updated the Investigate topic with new screenshots to align with the UI.

Detection Findings

Investigate

Automate

Feature	Description	Help Topic
Workflow Editor	The following updates have been made to the Workflow Editor: Integration target types are now available in the Target Type drop-down list. Selecting a target type now pre-filters the available choices in the Target drop-down list to relevant targets. When you select the Specify Target on Workflow Start option, you can now choose supported integrations to narrow down the available targets when running the workflow. When you select the Execute on This Target option, the target is now pre-selected if there is only one target available for the target type. The AI Agent activity can now use a pre-selected target for execution of workflows that have theSpecify on Workflow Start option selected.	Workflow Editor
Targets Page	You can now filter by integration target type when searching targets.	Targets
Remotes	You can now add Remotes via Docker packages.	Automation Remote Remote Setup and Deployment

Feature

Description

Help Topic

Workflow Editor

The following updates have been made to the Workflow Editor:

Integration target types are now available in the Target Type drop-down list.
Selecting a target type now pre-filters the available choices in the Target drop-down list to relevant targets.
When you select the Specify Target on Workflow Start option, you can now choose supported integrations to narrow down the available targets when running the workflow.
When you select the Execute on This Target option, the target is now pre-selected if there is only one target available for the target type.
The AI Agent activity can now use a pre-selected target for execution of workflows that have theSpecify on Workflow Start option selected.

Workflow Editor

Targets Page

You can now filter by integration target type when searching targets.

Targets

Remotes

You can now add Remotes via Docker packages.

Automation Remote

Remote Setup and Deployment

Assets

Feature	Description	Help Topic
User trust level	The Level of trust field on the Users and User Details page has been renamed to Trust level.	Users User Details

Feature

Description

Help Topic

User trust level

The Level of trust field on the Users and User Details page has been renamed to Trust level.

Users

User Details

Client Management

Feature	Description	Help Topic
Help updates	The Create Deployment topic has been updated to include connectivity requirements for the Endpoint Visibility Module (EVM).	Create Deployment

Integrations

Feature	Description	Help Topic
Cisco Meraki integration	The Cisco Meraki integration now ingests AMP engine events, and malware and indicator-compromise IDS engine events for incident correlation. Support for additional event types is planned for future releases.	Cisco Meraki Integration
Help updates	The following updates have been made to the Help: Updated the following integration topics to remove the deprecated Detection Ingest tile references, and now include information on how to view the source data in Detection findings: Cisco Secure Endpoint Cisco Secure Network Analytics Cisco Secure Email Threat Defense Cisco Secure Access CrowdStrike Falcon Microsoft Defender for Endpoint Microsoft Defender for Office 365 SentinelOne Singularity Proofpoint Threat Protection Updated the Detection Sources section in the Integrations topic to include the Cisco Meraki integration. The new Detection Details section has been added to the Cisco Secure Endpoint, CrowdStrike Falcon, and Microsoft Defender for Endpoint topics.	Cisco Secure Endpoint Integration Cisco Secure Network Analytics Integration Cisco Secure Email Threat Defense Integration Cisco Secure Access Integration CrowdStrike Falcon Integration Microsoft Defender for Endpoint Integration Microsoft Defender for Office 365 Integration SentinelOne Singularity Integration Proofpoint Threat Protection Integration Integrations

Feature

Description

Help Topic

Cisco Meraki integration

The Cisco Meraki integration now ingests AMP engine events, and malware and indicator-compromise IDS engine events for incident correlation. Support for additional event types is planned for future releases.

Cisco Meraki Integration

Help updates

The following updates have been made to the Help:

Updated the following integration topics to remove the deprecated Detection Ingest tile references, and now include information on how to view the source data in Detection findings:
- Cisco Secure Endpoint
- Cisco Secure Network Analytics
- Cisco Secure Email Threat Defense
- Cisco Secure Access
- CrowdStrike Falcon
- Microsoft Defender for Endpoint
- Microsoft Defender for Office 365
- SentinelOne Singularity
- Proofpoint Threat Protection

Updated the Detection Sources section in the Integrations topic to include the Cisco Meraki integration.
The new Detection Details section has been added to the Cisco Secure Endpoint, CrowdStrike Falcon, and Microsoft Defender for Endpoint topics.

Cisco Secure Endpoint Integration

Cisco Secure Network Analytics Integration

Cisco Secure Email Threat Defense Integration

Cisco Secure Access Integration

CrowdStrike Falcon Integration

Microsoft Defender for Endpoint Integration

Microsoft Defender for Office 365 Integration

SentinelOne Singularity Integration

Proofpoint Threat Protection Integration

Integrations

XDR Forensics

Feature	Description	Help Topic
XDR Forensics Knowledge Base	The XDR Forensics Knowledge Base has been migrated out of the PDF-based knowledge base to the web-based HTML Cisco XDR Help Center to improve the discoverability of technical resources and provide a more intuitive navigation experience.	XDR Forensics Knowledge Base
AIR File Explorer XFS Partition Support	Added support for recognizing and parsing XFS partitions in disk images. Analysts can now browse and analyze evidence from XFS-based assets directly within AIR File Explorer.	File Explorer
Expanded Windows evidence coverage in Baseline Comparison	Comparison supports over 40 new Windows artifact sources, including file system, registry, system, network, and SRUM data, enabling deeper and broader comparative analysis.	Compare
Enhanced RelayPro	Upgraded RelayPro with a new toolchain and improved dependencies, enhancing responder–console communication security and reliability for uninterrupted evidence transfers during complex investigations.	RelayPro

Release Notes for Cisco XDR 2.64

New Features and Updates

Previous Release Notes