Release Notes for Cisco XDR 2.61

Control Center

Feature	Description	Help Topic
Help icons added to drawers	The (Help) icon has been added to the following drawers on the MITRE ATT&CK^® Coverage Map page: tactic, technique, and adversary filters. Click the (Help) icon in the lower left corner of the drawer to open the help topic for more information on the specific drawer.	MITRE ATT&CK® Coverage Map

Incidents

Feature	Description	Help Topic
New incident detail view with AI analysis	You can now click Launch New Incident View in the upper right corner of the incident detail to display the new AI-powered incident detail view. This view presents an overview of the AI analysis and evaluation of the incident, indicating whether it is likely a true or false positive threat. The AI assesses incidents in a manner similar to a human analyst, systematically forming and validating hypotheses. It analyzes individual detections, observables, indicators, and their combination, to identify a threat narrative consistent with the incident data. The final classification, along with reasoning, supporting evidence, and recommended response steps, is displayed in the incident detail view. Note: The new incident detail view is currently in Beta and subject to change.	Incident Detail with AI Analysis Incident Detail
Help update	Updated the Add AI-Generated Note section in the Response topic to clarify the AI-generated note feature.	Response

Feature

Description

Help Topic

New incident detail view with AI analysis

You can now click Launch New Incident View in the upper right corner of the incident detail to display the new AI-powered incident detail view.

This view presents an overview of the AI analysis and evaluation of the incident, indicating whether it is likely a true or false positive threat. The AI assesses incidents in a manner similar to a human analyst, systematically forming and validating hypotheses. It analyzes individual detections, observables, indicators, and their combination, to identify a threat narrative consistent with the incident data. The final classification, along with reasoning, supporting evidence, and recommended response steps, is displayed in the incident detail view.

Note: The new incident detail view is currently in Beta and subject to change.

Incident Detail with AI Analysis

Incident Detail

Help update

Updated the Add AI-Generated Note section in the Response topic to clarify the AI-generated note feature.

Response

Investigate

Feature	Description	Help Topic
Detection findings tab updates	The following updates have been made to the Detection Findings tab on the Investigate page: Related incidents filter - The previous Detection findings with related incidents check box is now a Related incidents drop-down list. Choose With related incidents to only display security events that have related incidents in the list or Without related incidents to only display security events that do not have any related incidents in the list. Sort security events - You can now click the (Sort) icon in the Name, Date created, Last verified, Source, or Severity column header in the Detection Findings table to sort the security events alphabetically, or by ascending or descending order.	Detection Findings

Feature

Description

Help Topic

Detection findings tab updates

The following updates have been made to the Detection Findings tab on the Investigate page:

Related incidents filter - The previous Detection findings with related incidents check box is now a Related incidents drop-down list. Choose With related incidents to only display security events that have related incidents in the list or Without related incidents to only display security events that do not have any related incidents in the list.
Sort security events - You can now click the (Sort) icon in the Name, Date created, Last verified, Source, or Severity column header in the Detection Findings table to sort the security events alphabetically, or by ascending or descending order.

Detection Findings

Automate

Feature	Description	Help Topic
Activities	Added toggle to fill empty fields with default values in the Parse JSON activity.	Parse JSON
Help updates	Added new OVA information to the Configure and Deploy the Virtual Appliance section in the Remote Setup and Deployment topic.	Remote Setup and Deployment

Client Management

Feature	Description	Help Topic
Endpoint Visibility Module	The Endpoint Visibility Module is available for Windows amd64 and macOS deployments. The Endpoint Visibility Module is a critical component for organizations striving for seamless endpoint visibility and advanced threat detection within Cisco XDR. Its comprehensive endpoint telemetry complements Cisco and third-party EDR deployments, adding essential context to threat detections.	Deployments Create Deployment
Endpoint Data Loss Prevention	The Endpoint Data Loss Prevention module is now available for Windows amd64 deployments. Cisco Endpoint Data Loss Prevention (Endpoint DLP) enables you to protect sensitive data on endpoints by controlling what data is transferred to external devices. It extends your organization’s data protection policies to the endpoint. You can also upload a new Endpoint Data Loss Prevention profile to the Profiles page and select a Endpoint Data Loss Prevention profile when creating new deployments.	Deployments Create Deployment Profiles
Help updates	The following updates have been made to the Help: Updated the Edit Columns section of the Audit Logs and Device Events topics. Added Performance Metrics to the Network Visibility Module - XDR section of the Profile Configuration topic. Added Endpoint Visibility Module and the Endpoint Data Loss Prevention module to the Create Deployment topic.	Audit Logs Device Events Profile Configuration Create Deployment

Feature

Description

Help Topic

Endpoint Visibility Module

The Endpoint Visibility Module is available for Windows amd64 and macOS deployments. The Endpoint Visibility Module is a critical component for organizations striving for seamless endpoint visibility and advanced threat detection within Cisco XDR. Its comprehensive endpoint telemetry complements Cisco and third-party EDR deployments, adding essential context to threat detections.

Deployments

Create Deployment

Endpoint Data Loss Prevention

The Endpoint Data Loss Prevention module is now available for Windows amd64 deployments. Cisco Endpoint Data Loss Prevention (Endpoint DLP) enables you to protect sensitive data on endpoints by controlling what data is transferred to external devices. It extends your organization’s data protection policies to the endpoint.

You can also upload a new Endpoint Data Loss Prevention profile to the Profiles page and select a Endpoint Data Loss Prevention profile when creating new deployments.

Deployments

Create Deployment

Profiles

Help updates

The following updates have been made to the Help:

Updated the Edit Columns section of the Audit Logs and Device Events topics.
Added Performance Metrics to the Network Visibility Module - XDR section of the Profile Configuration topic.
Added Endpoint Visibility Module and the Endpoint Data Loss Prevention module to the Create Deployment topic.

Audit Logs

Device Events

Profile Configuration

Create Deployment

Administration

Feature	Description	Help Topic
Detection sources filter added to Integrations page	You can now check the new Detection sources check box on the Integrations page to quickly filter the page to only display the source products that continuously provide detections to Cisco XDR. These detections are analyzed by the detection engine and may be correlated into incidents. The new Detection sources check box has also been added to the Capabilities drop-down list on the Integrations page.	Integrations Cisco and Third-Party Integrations and Supported Capabilities

Feature

Description

Help Topic

Detection sources filter added to Integrations page

You can now check the new Detection sources check box on the Integrations page to quickly filter the page to only display the source products that continuously provide detections to Cisco XDR. These detections are analyzed by the detection engine and may be correlated into incidents.

The new Detection sources check box has also been added to the Capabilities drop-down list on the Integrations page.

Integrations

Cisco and Third-Party Integrations and Supported Capabilities

Integrations

Feature	Description	Help Topic
Help update	Updated the previous Detection Analytics and Correlation column by splitting it into the following two columns in the Cisco and Third-Party Integrations and Supported Capabilities topic: Detections and Telemetry.	Cisco and Third-Party Integrations and Supported Capabilities

Resources

Feature	Description	Help Topic
Help update	Added the Endpoint Visibility Module in Cisco XDR topic to provide more information on the capabilities and supported operating systems for the Endpoint Visibility Module.	Endpoint Visibility Module in Cisco XDR

XDR Forensics

Feature	Description	Help Topic
Advanced Time Display and Copy Options	The DateTime component within XDR Forensics now includes a contextual popover to view and copy timestamps in multiple formats including UTC, ISO, local, and relative time. This enhancement streamlines correlation activities across multiple evidence sources and logs during complex investigations.	XDR Forensics
Improved Kerberos Event Collection for KDC Event ID 42	Added support for critical Kerberos Key Distribution Center events (Event ID 42) within default Windows event collection profiles. This expands detection visibility for authentication downgrade and anomaly scenarios often relevant in enterprise breaches.	XDR Forensics

Release Notes for Cisco XDR 2.61

New Features and Updates

Previous Release Notes