Release Notes for Cisco XDR 2.49

New default Operational Insights dashboard

The previous Overview dashboard on the Dashboards page has been renamed to Operational Insights with the following cards: Team Mean Time To Engage, Team Mean Time To Contain, Team Mean Time To Resolve, Marked as false positive, Incidents by priority, Unassigned Incidents, Incident Status By Assignment, MITRE ATT&CK^® Incidents, Top workflow runs, and Detection Sources.

New Private Intelligence cards added to Dashboards

The following new cards have been added to Private Intelligence in the Customize Dashboards dialog box: Team Mean Time To Contain, User Mean Time to Contain, Team Mean Time To Resolve, User Mean Time to Resolve, Marked as false positive, Team Mean Time To Engage, User Mean Time To Engage, and Incidents by priority.

Team Mean Time Summary and User Mean Time Summary cards removed from Dashboards

The following cards for Private Intelligence have been removed from the list of available cards in the Customize Dashboards dialog box: Team Mean Time Summary and User Mean Time Summary.

If the Team Mean Time Summary card or the User Mean Time Summary card is in an existing dashboard, a message is displayed informing you that the card is no longer available. Click Remove to remove the card from the dashboard.

Add note and Review note updates

The following updates have been made to the Add note area and Review note dialog box in incident details:

• The Preview tab is now a view in the text box area when you click the (Preview code) icon in the upper right corner.

• Click the new (Live code) icon in the upper right corner to open a pane in the text box to display the text in real-time as changes are made to the markdown code.

• Additional icons have been added to the toolbar for formatting the text in markdown, such as inserting a code block, adding a comment, and inserting a table.

Edit task update

The Edit task button has been renamed to Save task when you edit a task that is not assigned to a playbook in the Tasks tab on the Playbooks page.

Filter updates on Worklog page

The (Filters) icon on the Worklog page in incident detail is now a Filter drop-down list. The selections are now applied or removed automatically as you check or uncheck the filter check boxes. You no longer need to click Apply to apply the selected filters.

Filter updates on the Detection page

The Select All link has been removed from the Type, Source, and Severity drop-down lists on the Detection page in incident detail. The filter chips beneath the filter have also been removed.

Search and Hide Cisco managed tasks added to Tasks tab on Playbooks page

You can now search the list of tasks by name in the Tasks tab on the Playbooks page. Use the Search text box in the upper portion of the page to search for tasks by name.

The new Hide Cisco managed tasks check box has been added above the tasks list in the Tasks tab on the Playbooks page. Check the check box to hide tasks that are managed by Cisco in the tasks list and display custom tasks only.

Search and sort added to Tasks drawer on Playbooks page

You can now search and sort the list of tasks in the Tasks drawer when you add or edit a playbook.

• Use the Search text box in the upper portion of the drawer to search for tasks by name.

• Click the (Sort) icon in the Tasks column header to sort the tasks alphabetically.

Detection findings table updates on the Investigate page

The following updates have been made to the Detection findings tab on the Investigate page in incident detail:

• You can now drag column headers to reorder the columns.

• The new (Settings) icon has been added to the Detection findings table for customizing the columns.

• You can now add the new optional Source details column to the Detection findings table in the Table settings drawer. It displays the instance name provided by the user when configuring the integrated product that generated the security event.

Custom Security Event workflow

We’ve added a new Custom Security Event workflow intent which can be used to help you ingest security events from your custom sources into the Cisco XDR Data Warehouse. When creating this type of workflow, a pre-defined group of actions on the canvas of the Workflow Editor shows you the data handling required along with some settings already configured to expedite the build process.

We’ve added two new Cisco-managed atomic actions to help with the two security event types that are initially available: XDR – Analytics – Ingest Email Security Event and XDR – Analytics – Ingest Network Security Event.

Also, in HTTP targets you can indicate whether the target is enabled for custom security event ingestion and it will create the module instance automatically. And in Webhook rules, you can indicate whether the rule is enabled to trigger a Custom Security Event workflow to execute when conditions are met.

Cisco Vulnerability Management Inference integration

The Cisco Vulnerability Management Inference integration is now supported for the Devices page. The Inference integration is a free service provided by Cisco Vulnerability Management that is available to all Cisco XDR customers. A list of vulnerabilities will be displayed for devices, however they're inferred leveraging Cisco Orbital and may not be as accurate as the Vulnerability Management integration. This integration requires the Cisco Orbital integration module and does not support Automate capabilities.

Device FQDN

The FQDN is now available on the Device Details page. This data is usually provided by the Orbital or Secure Endpoint integrations.

Network Visibility Module - XDR tamper protection

Cisco Secure Client version 5.1.10 and later supports Network Visibility Module - XDR tamper protection on Windows arm64 deployments. Tamper protection allows an administrator to lockdown the Network Visibility Module - XDR service and resources on endpoints.

Regions added to Secure Malware Analytics integration

The following regions are now available in the URL drop-down when you configure the Secure Malware Analytics integration in the Integration Guide area on the Secure Malware Analytics integration page: APJC, Canada, and India.

Palo Alto Networks Firewalls with Strata Logging Service application renamed to Palo Alto Networks Firewalls via Cortex XDR

The Palo Alto Networks Firewalls with Strata Logging Service application within the Palo Alto Networks Cortex Cloud integration has been renamed to Palo Alto Networks Firewalls via Cortex XDR to specify that this application adds firewall data into investigations via Cortex XDR, not Strata Logging Service.

Edit incident description updates in ribbon

When you click (Edit markdown) icon in the Description panel in the incidents app, additional icons are now available in the toolbar for formatting text in markdown, such as inserting a code block, adding a comment, and inserting a table.

Assign Users popup in ribbon

The previous Assign Users dialog box is now a popup when you click the Unassigned button or any of the avatars in the upper right corner of the incident details panel in the incident app.