Release Notes for Cisco XDR 2.45

Getting Started

No new customer-facing features or updates in this release.

Navigate Cisco XDR

No new customer-facing features or updates in this release.

Control Center

Feature	Description	Help Topic
Risk score enhancements	Improvements have been made to the TTP-based risk of financial loss used to calculate the risk scores for techniques displayed on the MITRE ATT&CK^® Coverage Map page. This update reflects the latest insight into cyber risks and losses and it leverages a comprehensive new dataset, encompassing over 90,000 cyber incidents, and derived from credible and publicly verifiable sources. By integrating new data on risk into the assessment, the updated score provides a more precise and contextualized evaluation of threats. Over 110 MITRE TTP risk score values have been revised to align with the current threat landscape, resulting in an improved risk score and more effective incident prioritization tailored to today's risks.	—
View issues menu option removed from Options menu in dashboard card	The View issues menu option has been removed from the Options menu when you click the (Ellipsis) icon in the upper right corner of the dashboard card. You can continue to view issues using the View API information option in the Options menu.	Dashboard and Card Settings
Help update	The following update has been made to the Help: Added dashboard cards for the Red Sift Pulse integration to the Integration Cards topic.	Integration Cards

Feature

Description

Help Topic

Risk score enhancements

Improvements have been made to the TTP-based risk of financial loss used to calculate the risk scores for techniques displayed on the MITRE ATT&CK^® Coverage Map page. This update reflects the latest insight into cyber risks and losses and it leverages a comprehensive new dataset, encompassing over 90,000 cyber incidents, and derived from credible and publicly verifiable sources. By integrating new data on risk into the assessment, the updated score provides a more precise and contextualized evaluation of threats. Over 110 MITRE TTP risk score values have been revised to align with the current threat landscape, resulting in an improved risk score and more effective incident prioritization tailored to today's risks.

—

View issues menu option removed from Options menu in dashboard card

The View issues menu option has been removed from the Options menu when you click the (Ellipsis) icon in the upper right corner of the dashboard card. You can continue to view issues using the View API information option in the Options menu.

Dashboard and Card Settings

Help update

The following update has been made to the Help:

Added dashboard cards for the Red Sift Pulse integration to the Integration Cards topic.

Integration Cards

Incidents

Feature	Description	Help Topic
Delete incident dialog box update	The dialog box that appears when you delete an incident has been updated with a new Confirm Delete title and the check box to confirm the deletion before you can click Delete has been removed.	Incidents
Execute button update on Response page	The Execute button in the observables drawer on the Response page has been moved from the upper portion of the drawer to the lower portion of the drawer.	Response
Incident priority score enhancements	Improvements have been made to the TTP-based risk of financial loss used to calculate the priority score for new incidents after the 2.45 (July 7th, 2025) release. This update reflects the latest insight into cyber risks and losses and it leverages a comprehensive new dataset, encompassing over 90,000 cyber incidents, and derived from credible and publicly verifiable sources. By integrating new data on risk into the assessment, the updated score provides a more precise and contextualized evaluation of threats. Over 110 MITRE TTP risk score values have been revised to align with the current threat landscape, resulting in an improved incident priority score and more effective incident prioritization tailored to today's risks.	—
Last seen added to Event drawer	The Event drawer on the Detection page in incident details now displays the Last seen date and time, if applicable.	Detection
Help updates	The following updates have been made to the Help: Updated the Group/Ungroup graph control description in the Overview topic. Updated the Incidents topic to remove an outdated note.	Overview Incidents

Investigate

Feature	Description	Help Topic
Last seen added to Event drawer	The Event drawer on the Investigation Results page now displays the Last seen date and time, if applicable.	Events

Intelligence

Feature	Description	Help Topic
Judgments table updates	The Reason column has been removed from the judgments table in the Judgments tab, and the Confidence column has been added to the table. It displays the confidence level of the system that produced the data of its accuracy.	Judgments
Events table update	The Title column has been removed from the events table in the Events tab.	Events
Help updates	The following updates have been made to the Help: Updated screenshots in the following topics to align with the UI: Intelligence, Judgments, Indicators, Events, and Feeds.	Intelligence Judgments Indicators Events Feeds

Feature

Description

Help Topic

Judgments table updates

The Reason column has been removed from the judgments table in the Judgments tab, and the Confidence column has been added to the table. It displays the confidence level of the system that produced the data of its accuracy.

Judgments

Events table update

The Title column has been removed from the events table in the Events tab.

Events

Help updates

The following updates have been made to the Help:

Updated screenshots in the following topics to align with the UI: Intelligence, Judgments, Indicators, Events, and Feeds.

Automate

Feature	Description	Help Topic
Help updates	These updates have been made to the Help: Added a link to Cisco XDR Connect to the Atomic Actions topic. Added a link to Cisco XDR Learning Labs to the Frequently Asked Questions topic. Added Remote package file name information to the Remote Setup and Deployment topic.	Atomic Actions Frequently Asked Questions Remote Setup and Deployment

Feature

Description

Help Topic

Help updates

These updates have been made to the Help:

Added a link to Cisco XDR Connect to the Atomic Actions topic.
Added a link to Cisco XDR Learning Labs to the Frequently Asked Questions topic.
Added Remote package file name information to the Remote Setup and Deployment topic.

Atomic Actions

Frequently Asked Questions

Remote Setup and Deployment

Assets

Feature	Description	Help Topic
User Details drawer	User names and email addresses included in the Users seen column on the Devices page, the Users section of the Device Details drawer, and the Associated users on the Device Overview tab on the Device Details page now open the User Details drawer to provide a summary of the selected user's information.	Devices Device Overview
Google Cloud Platform support	The Google Cloud Platform third-party integration is now supported source for the Devices page.	Devices Google Cloud Platform Integration
Help updates	The following updates have been made to the Help: Added Google Cloud Platform to the Sources topic. Updated screenshots in the Users and User Details topics to align with the UI.	Sources Users User Details

Feature

Description

Help Topic

User Details drawer

User names and email addresses included in the Users seen column on the Devices page, the Users section of the Device Details drawer, and the Associated users on the Device Overview tab on the Device Details page now open the User Details drawer to provide a summary of the selected user's information.

Devices

Device Overview

Google Cloud Platform support

The Google Cloud Platform third-party integration is now supported source for the Devices page.

Devices

Google Cloud Platform Integration

Help updates

The following updates have been made to the Help:

Added Google Cloud Platform to the Sources topic.
Updated screenshots in the Users and User Details topics to align with the UI.

Sources

Users

User Details

Client Management

Feature	Description	Help Topic
Help update	The following update has been made to the Help: Added a note to the Deployment Management topic to clarify if your endpoint does not have OpenGL installed, you will need to install the deployment using `-q` in the command line.	Deployment Management

Feature

Description

Help Topic

Help update

The following update has been made to the Help:

Added a note to the Deployment Management topic to clarify if your endpoint does not have OpenGL installed, you will need to install the deployment using -q in the command line.

Deployment Management

Administration

Feature	Description	Help Topic
On-Premises Appliances page updates	The previous Generate Token and Delete icons in the Actions column are now menu items when you click the new (Ellipsis) icon in the Actions column.	On-Premises Appliances

Integrations

Feature	Description	Help Topic
Google Cloud Platform integration added to Integrations page	The Google Cloud Platform integration has been added to the Third-Party tab on the Integrations page. Cisco XDR consumes network traffic data, including Virtual Private Cloud (VPC) flow logs, from your Google Cloud Platform (GCP) public cloud network. It then performs dynamic entity modeling by running analytics on that data to detect threats and indicators of compromise. Cisco XDR consumes VPC flow logs directly from your GCP account using across-account IAM service account with the proper permissions. If you have an existing Google Cloud Platform integration through Secure Cloud Analytics, you will continue to ingest the configured Virtual Private Cloud (VPC) flow logs. However, you will not be able to update your GCP service account credentials using the Secure Cloud Analytics portal. We recommend moving your GCP integration configuration to Cisco XDR to take advantage of the Workload Identity Federation (WIF) credentials, and then deleting the integration in Secure Cloud Analytics to avoid duplicate data ingestion.	Cisco and Third-Party Integrations and Supported Capabilities Google Cloud Platform Integration
Attack Surface Management integration removed from Integrations page	The Attack Surface Management integration has been removed from the Cisco tab on the Integrations page due to the End-of-Life announcement of Cisco Attack Surface Management. For more information, see End-of-Sale and End-of-Life Announcement for the Cisco Attack Surface Management (formerly known as Secure Cloud Insights). If you have an existing Attack Surface Management integration configured, you can continue to access the dashboard cards in Control Center.	Cisco and Third-Party Integrations and Supported Capabilities
Help updates	The following updates have been made to the Help: The following integration topics have been added to the Cisco XDR help: Microsoft Graph Security API Integration, Microsoft Intune Integration, PagerDuty Integration, Rubrik Security Cloud Integration, ServiceNow Integration, Omnissa Workspace ONE UEM Integration, xMatters Integration, MISP Integration, Graylog Cloud Integration, Palo Alto Networks Firewalls with Strata Logging Service Integration, Palo Alto Networks Cortex XDR Integration, Radware Cloud DDoS Protection Service Integration, Radware Cloud WAF Service Integration, Red Sift Pulse Integration, and Trend Vision One Integration. The link to the topic has been added to the Cisco and Third-party Integrations and Supported Capabilities topic. The Attack Surface Management Integration topic has been removed from the Cisco XDR help. The MISP and Graylog Cloud integrations have been tested and certified by Cisco Quality Assurance labs and they have been added to the Cisco and Third-Party Integrations and Supported Capabilities topic as supported third-party integrations in Cisco XDR. Updated the Dashboard column from No to Yes for the Red Sift Pulse integration in the Cisco and Third-Party Integrations and Supported Capabilities topic. Updated the Cisco and Third-party Integrations and Supported Capabilities topic to include a note to follow the configuration steps for any of the integrations.	Cisco and Third-Party Integrations and Supported Capabilities Microsoft Graph Security API Integration Microsoft Intune Integration PagerDuty Integration Rubrik Security Cloud Integration ServiceNow Integration Omnissa Workspace ONE UEM Integration xMatters Integration MISP Integration Graylog Cloud Integration Palo Alto Networks Firewalls with Strata Logging Service Integration Palo Alto Networks Cortex XDR Integration Radware Cloud DDoS Protection Service Integration Radware Cloud WAF Service Integration Red Sift Pulse Integration Trend Vision One Integration

Feature

Description

Help Topic

Google Cloud Platform integration added to Integrations page

The Google Cloud Platform integration has been added to the Third-Party tab on the Integrations page. Cisco XDR consumes network traffic data, including Virtual Private Cloud (VPC) flow logs, from your Google Cloud Platform (GCP) public cloud network. It then performs dynamic entity modeling by running analytics on that data to detect threats and indicators of compromise. Cisco XDR consumes VPC flow logs directly from your GCP account using across-account IAM service account with the proper permissions.

If you have an existing Google Cloud Platform integration through Secure Cloud Analytics, you will continue to ingest the configured Virtual Private Cloud (VPC) flow logs. However, you will not be able to update your GCP service account credentials using the Secure Cloud Analytics portal. We recommend moving your GCP integration configuration to Cisco XDR to take advantage of the Workload Identity Federation (WIF) credentials, and then deleting the integration in Secure Cloud Analytics to avoid duplicate data ingestion.

Cisco and Third-Party Integrations and Supported Capabilities

Google Cloud Platform Integration

Attack Surface Management integration removed from Integrations page

The Attack Surface Management integration has been removed from the Cisco tab on the Integrations page due to the End-of-Life announcement of Cisco Attack Surface Management. For more information, see End-of-Sale and End-of-Life Announcement for the Cisco Attack Surface Management (formerly known as Secure Cloud Insights).

If you have an existing Attack Surface Management integration configured, you can continue to access the dashboard cards in Control Center.

Cisco and Third-Party Integrations and Supported Capabilities

Help updates

The following updates have been made to the Help:

The following integration topics have been added to the Cisco XDR help: Microsoft Graph Security API Integration, Microsoft Intune Integration, PagerDuty Integration, Rubrik Security Cloud Integration, ServiceNow Integration, Omnissa Workspace ONE UEM Integration, xMatters Integration, MISP Integration, Graylog Cloud Integration, Palo Alto Networks Firewalls with Strata Logging Service Integration, Palo Alto Networks Cortex XDR Integration, Radware Cloud DDoS Protection Service Integration, Radware Cloud WAF Service Integration, Red Sift Pulse Integration, and Trend Vision One Integration. The link to the topic has been added to the Cisco and Third-party Integrations and Supported Capabilities topic.
The Attack Surface Management Integration topic has been removed from the Cisco XDR help.
The MISP and Graylog Cloud integrations have been tested and certified by Cisco Quality Assurance labs and they have been added to the Cisco and Third-Party Integrations and Supported Capabilities topic as supported third-party integrations in Cisco XDR.
Updated the Dashboard column from No to Yes for the Red Sift Pulse integration in the Cisco and Third-Party Integrations and Supported Capabilities topic.
Updated the Cisco and Third-party Integrations and Supported Capabilities topic to include a note to follow the configuration steps for any of the integrations.