Release Notes for Cisco XDR 2.43

Getting Started

No new customer-facing features or updates in this release.

Navigate Cisco XDR

Feature	Description	Help Topic
System Status area removed from User Profile	The System Status area has been removed from the User Profile drop-down list in the upper right corner of the Cisco XDR header.	Navigate Cisco XDR

Control Center

Feature	Description	Help Topic
Dashboard card enhancements	The following UI enhancements have been made to the cards on the Dashboards page: The (Grabber) icon is now displayed when you hover over the upper left corner of the card. The (Refresh) icon is now a menu option when you click the (Ellipsis) icon in the upper right corner of the card. The (Expand) icon is now a menu option when you click the (Ellipsis) icon in the upper right corner of the card.	Dashboard and Card Settings Default Cards
Secure Client integration cards renamed in Customize Dashboards	The following cards for the Secure Client integration have been renamed in the Customize Dashboards dialog box: The previous Computer Summary card has been renamed to Cloud Management Failures Summary. The previous Unified Connector Stats card has been renamed to Cloud Management Statistics.	Default Cards
Help updates	The following updates have been made to the Help: Added the ATT&CK version number and version history link to the MITRE ATT&CK^® Coverage Map topic. Added links to the integration topics in the list of product integrations.	MITRE ATT&CK® Coverage Map

Feature

Description

Help Topic

Dashboard card enhancements

The following UI enhancements have been made to the cards on the Dashboards page:

The (Grabber) icon is now displayed when you hover over the upper left corner of the card.
The (Refresh) icon is now a menu option when you click the (Ellipsis) icon in the upper right corner of the card.
The (Expand) icon is now a menu option when you click the (Ellipsis) icon in the upper right corner of the card.

Dashboard and Card Settings

Default Cards

Secure Client integration cards renamed in Customize Dashboards

The following cards for the Secure Client integration have been renamed in the Customize Dashboards dialog box:

The previous Computer Summary card has been renamed to Cloud Management Failures Summary.
The previous Unified Connector Stats card has been renamed to Cloud Management Statistics.

Default Cards

Help updates

The following updates have been made to the Help:

Added the ATT&CK version number and version history link to the MITRE ATT&CK^® Coverage Map topic.
Added links to the integration topics in the list of product integrations.

MITRE ATT&CK® Coverage Map

Incidents

Feature	Description	Help Topic
Download events in JSON format on Detections page	You can now download the events in the detections table in JSON format. Click the new Download JSON button on the Detection page in incident details.	Detection

Investigate

Feature	Description	Help Topic
Detection findings tab added to the Investigate page	You can now view all the security events generated by integrated products and the Cisco XDR native telemetry sent from the Network, Cloud, Identity, and Endpoint sources in the new Detection Findings tab on the Investigate page. The security events allow you to validate the data that is ingested by Cisco XDR for incident correlation. When you click a security event in the list, the Detection Findings drawer opens where you can quickly view the Detection Findings and related Activities from the security event. The security event details are displayed using the Industry Standard Open Cybersecurity Schema Framework (OCSF), version 1.4.	Investigate Detection Findings

Feature

Description

Help Topic

Detection findings tab added to the Investigate page

You can now view all the security events generated by integrated products and the Cisco XDR native telemetry sent from the Network, Cloud, Identity, and Endpoint sources in the new Detection Findings tab on the Investigate page. The security events allow you to validate the data that is ingested by Cisco XDR for incident correlation.

When you click a security event in the list, the Detection Findings drawer opens where you can quickly view the Detection Findings and related Activities from the security event. The security event details are displayed using the Industry Standard Open Cybersecurity Schema Framework (OCSF), version 1.4.

Investigate

Detection Findings

Intelligence

No new customer-facing features or updates in this release.

Automate

Feature	Description	Help Topic
Help updates	The following updates have been made to the Help: Added new targets for the Cisco Identity Intelligence and Splunk Enterprise integrations to the Targets Created From Integrations topic. Added a new OVA file to Configure and Deploy the Virtual Appliance in the Remote Setup and Deployment topic. Renamed Incident Rule to Incident Response Rule in pertinent topics.	Targets Created From Integrations Remote Setup and Deployment Automation Rules Incident Response Rule Workflow Intent

Feature

Description

Help Topic

Help updates

The following updates have been made to the Help:

Added new targets for the Cisco Identity Intelligence and Splunk Enterprise integrations to the Targets Created From Integrations topic.
Added a new OVA file to Configure and Deploy the Virtual Appliance in the Remote Setup and Deployment topic.
Renamed Incident Rule to Incident Response Rule in pertinent topics.

Targets Created From Integrations

Remote Setup and Deployment

Automation Rules

Incident Response Rule

Workflow Intent

Assets

Feature	Description	Help Topic
Identity Intelligence	The Cisco Identity Intelligence integration is now supported for user data integration. Cisco Duo, Microsoft Entra ID, and more are configured in Identity Intelligence. The Users page now displays users identified by Identity Intelligence, which provides more data about the users in your organization, including users with failed checks, and users not using multi-factor authentication (MFA).	Users User Details Sources
Help updates	The following updates have been made to the Help: Updated the Users and User Details topics for the Cisco Identity Intelligence integration support. Added Cisco Identity Intelligence to the Sources topic.	Users User Details Sources

Feature

Description

Help Topic

Identity Intelligence

The Cisco Identity Intelligence integration is now supported for user data integration. Cisco Duo, Microsoft Entra ID, and more are configured in Identity Intelligence. The Users page now displays users identified by Identity Intelligence, which provides more data about the users in your organization, including users with failed checks, and users not using multi-factor authentication (MFA).

Users

User Details

Sources

Help updates

The following updates have been made to the Help:

Updated the Users and User Details topics for the Cisco Identity Intelligence integration support.
Added Cisco Identity Intelligence to the Sources topic.

Users

User Details

Sources

Client Management

Feature	Description	Help Topic
Orbital module	The Orbital module is available for Windows amd64 deployments. Orbital provides endpoint visibility and control. It allows you to run queries and scripts to investigate and respond to threats.	Create Deployment
Secure Access Root Certificate module	The Cisco Secure Access Root Certificate module is available for Windows deployments. This module installs the Cisco Secure Access Root Certificate into the host computer's certificate store. A Certificate Authority (CA) signed root certificate is required where Cisco Secure Access must proxy and decrypt HTTPS traffic that requests a web resource.	Create Deployment
Help updates	The following updates have been made to the Help: Updated the Create Deployment and Deployment Management topics for Orbital and Secure Access Root Certificate support. Updated the screenshots in the Create Deployment, Deployment Management, and Deployments topics to align with the UI.	Create Deployment Deployment Management Deployments

Feature

Description

Help Topic

Orbital module

The Orbital module is available for Windows amd64 deployments. Orbital provides endpoint visibility and control. It allows you to run queries and scripts to investigate and respond to threats.

Create Deployment

Secure Access Root Certificate module

The Cisco Secure Access Root Certificate module is available for Windows deployments. This module installs the Cisco Secure Access Root Certificate into the host computer's certificate store. A Certificate Authority (CA) signed root certificate is required where Cisco Secure Access must proxy and decrypt HTTPS traffic that requests a web resource.

Create Deployment

Help updates

The following updates have been made to the Help:

Updated the Create Deployment and Deployment Management topics for Orbital and Secure Access Root Certificate support.
Updated the screenshots in the Create Deployment, Deployment Management, and Deployments topics to align with the UI.

Create Deployment

Deployment Management

Deployments

Administration

No new customer-facing features or updates in this release.

Integrations

Feature	Description	Help Topic
Splunk Enterprise integration added to the Integrations page	The new Splunk Enterprise integration has been added to the Cisco tab on the Integrations page. Splunk Enterprise is a powerful data analytics platform that allows you to collect, index, and analyze data from any source across your IT environment. It is typically deployed on-premises or in private cloud infrastructure, giving full control over data, security, and system management. The Splunk Enterprise integration creates a target in Cisco XDR Automation for automated workflows, exports incident and other data to Splunk Enterprise using Automation workflow, and enables querying of security detections across Network Traffic, Malware, Data Loss Prevention, and Intrusion Detection CIM-compliant data for observables such as IP addresses, hostnames, file names, file paths, MD5 hashes, and SHA-256 hashes.	Cisco and Third-Party Integrations and Supported Capabilities Splunk Enterprise Integration
Cisco Identity Intelligence integration added to the Cisco tab on the Integrations page	The new Cisco Identity Intelligence integration is now available in the Cisco tab on the Integrations page. Cisco Identity Intelligence allows you to gain full visibility over all your identities. This is accomplished by bringing in a vast amount of data on identities from a range of sources including traditional identity sources like Entra ID (formerly Azure AD), Duo, and Okta, non-traditional sources like Github, Google, or Salesforce, and HR systems, such as Workday.	Cisco and Third-Party Integrations and Supported Capabilities Cisco Identity Intelligence Integration
Help updates	The following updates have been made to the Help: Updated the Asset Insights and Context column from Yes to No for the Microsoft Entra ID integration in the Cisco and Third-Party Integrations and Supported Capabilities topic. The following integration topic has been added to the Cisco XDR help: Microsoft Entra ID Integration, Pulsedive Integration, Slack Integration, Threatscore Integration, urlscan.io Integration, and VirusTotal Integration. The link to the topic has been added to the Cisco and Third-Party Integrations and Supported Capabilities topic.	Cisco and Third-Party Integrations and Supported Capabilities Microsoft Entra ID Integration Pulsedive Integration Slack Integration Threatscore Integration urlscan.io Integration VirusTotal Integration

Feature

Description

Help Topic

Splunk Enterprise integration added to the Integrations page

The new Splunk Enterprise integration has been added to the Cisco tab on the Integrations page. Splunk Enterprise is a powerful data analytics platform that allows you to collect, index, and analyze data from any source across your IT environment. It is typically deployed on-premises or in private cloud infrastructure, giving full control over data, security, and system management.

The Splunk Enterprise integration creates a target in Cisco XDR Automation for automated workflows, exports incident and other data to Splunk Enterprise using Automation workflow, and enables querying of security detections across Network Traffic, Malware, Data Loss Prevention, and Intrusion Detection CIM-compliant data for observables such as IP addresses, hostnames, file names, file paths, MD5 hashes, and SHA-256 hashes.

Cisco and Third-Party Integrations and Supported Capabilities

Splunk Enterprise Integration

Cisco Identity Intelligence integration added to the Cisco tab on the Integrations page

The new Cisco Identity Intelligence integration is now available in the Cisco tab on the Integrations page. Cisco Identity Intelligence allows you to gain full visibility over all your identities. This is accomplished by bringing in a vast amount of data on identities from a range of sources including traditional identity sources like Entra ID (formerly Azure AD), Duo, and Okta, non-traditional sources like Github, Google, or Salesforce, and HR systems, such as Workday.

Cisco and Third-Party Integrations and Supported Capabilities

Cisco Identity Intelligence Integration

Help updates

The following updates have been made to the Help:

Updated the Asset Insights and Context column from Yes to No for the Microsoft Entra ID integration in the Cisco and Third-Party Integrations and Supported Capabilities topic.
The following integration topic has been added to the Cisco XDR help: Microsoft Entra ID Integration, Pulsedive Integration, Slack Integration, Threatscore Integration, urlscan.io Integration, and VirusTotal Integration. The link to the topic has been added to the Cisco and Third-Party Integrations and Supported Capabilities topic.

Cisco and Third-Party Integrations and Supported Capabilities

Microsoft Entra ID Integration

Pulsedive Integration

Slack Integration

Threatscore Integration

urlscan.io Integration

VirusTotal Integration

Ribbon and Pivot Menu

No new customer-facing features or updates in this release.

Resources

No new customer-facing features or updates in this release.

Release Notes for Cisco XDR 2.43

New Features and Updates

Previous Release Notes