Release Notes for Cisco XDR 2.52

Getting Started

Feature	Description	Help Topic
Help updates	The following updates have been made to the Help: Updated the Getting Started and Getting Started with Incident response topics to include the new XDR Forensics feature.	Getting Started Getting Started with Incident Response

Feature

Description

Help Topic

Help updates

The following updates have been made to the Help:

Updated the Getting Started and Getting Started with Incident response topics to include the new XDR Forensics feature.

Getting Started

Getting Started with Incident Response

Incidents

Feature	Description	Help Topic
New Evidence page added to incident detail for XDR Forensics	You can now acquire and view forensic data from assets within an incident and connect to the assets using a remote shell for remediation purposes in the new Evidence tab in incident detail. The data varies based on the asset and the acquired data can be used for further analysis and investigation in the XDR Forensics UI. The Evidence tab is only available for customers with Cisco XDR Advantage or Cisco XDR Premier licensing tier. Prior to acquiring forensic evidence for an incident for the first time, you must have a Secure Client deployment with the XDR Forensics module enabled and installed on your endpoints. For more information, see Create Deployment. All the acquisition and remote shell statuses from XDR Forensics are now displayed in the Worklog tab.	Evidence Incident Detail Worklog XDR Forensics
Actuator value added to playbook tasks	The Actuator value for an Automation workflow is now displayed in the task drawer and the New Task drawer on the Playbooks page, if applicable.	Tasks Playbooks List
Help updates	The following updates have been made to the Help: Updated the description in the Detection topic to provide more information on security events. Updated the screenshots in the Overview, Detection, Response, Worklog, and Report topics to include the new Evidence tab.	Detection Overview Response Worklog Report

Feature

Description

Help Topic

New Evidence page added to incident detail for XDR Forensics

You can now acquire and view forensic data from assets within an incident and connect to the assets using a remote shell for remediation purposes in the new Evidence tab in incident detail. The data varies based on the asset and the acquired data can be used for further analysis and investigation in the XDR Forensics UI.

The Evidence tab is only available for customers with Cisco XDR Advantage or Cisco XDR Premier licensing tier.

Prior to acquiring forensic evidence for an incident for the first time, you must have a Secure Client deployment with the XDR Forensics module enabled and installed on your endpoints. For more information, see Create Deployment.

All the acquisition and remote shell statuses from XDR Forensics are now displayed in the Worklog tab.

Actuator value added to playbook tasks

The Actuator value for an Automation workflow is now displayed in the task drawer and the New Task drawer on the Playbooks page, if applicable.

Tasks

Playbooks List

Help updates

The following updates have been made to the Help:

Updated the description in the Detection topic to provide more information on security events.
Updated the screenshots in the Overview, Detection, Response, Worklog, and Report topics to include the new Evidence tab.

Investigate

Feature	Description	Help Topic
XDR Forensics	The XDR Forensics feature (Investigate > Forensics) is now available for Cisco XDR Advantage or Cisco XDR Premier licensing tier customers. XDR Forensics is an automated investigation and response platform that delivers deep forensic visibility and end-to-end investigation capabilities at speed. XDR Forensics combines the rapid remote acquisition of 698 evidence types with intelligent, efficiency-driven automation to drastically reduce investigation time, simplify workflows, and empower SOC and incident responders with accurate, collaborative insights, thereby boosting long-term cyber resilience.	XDR Forensics
Related incidents added to Detection Findings table and drawer	The new Related incidents column and field has been added to the detection findings table and drawer in the Detection Findings tab on the Investigate page. It displays all the current incidents that contain the security event.	Detection Findings
Help update	The following update has been made to the Help: Updated the description in the Detection Findings topic to include a link to the Detection topic in Incidents and more information on custom security events.	Detection Findings

Feature

Description

Help Topic

XDR Forensics

The XDR Forensics feature (Investigate > Forensics) is now available for Cisco XDR Advantage or Cisco XDR Premier licensing tier customers.

XDR Forensics is an automated investigation and response platform that delivers deep forensic visibility and end-to-end investigation capabilities at speed. XDR Forensics combines the rapid remote acquisition of 698 evidence types with intelligent, efficiency-driven automation to drastically reduce investigation time, simplify workflows, and empower SOC and incident responders with accurate, collaborative insights, thereby boosting long-term cyber resilience.

XDR Forensics

Related incidents added to Detection Findings table and drawer

The new Related incidents column and field has been added to the detection findings table and drawer in the Detection Findings tab on the Investigate page. It displays all the current incidents that contain the security event.

Detection Findings

Help update

The following update has been made to the Help:

Updated the description in the Detection Findings topic to include a link to the Detection topic in Incidents and more information on custom security events.

Detection Findings

Automate

Feature	Description	Help Topic
New tables for workflow variables in the properties panel	Within the Workflow Editor, the Workflow Properties panel is being improved. To make the Variables section more intuitive and efficient to use, the variables are now grouped and listed in separate tables: Input variables Output variables Local and static variables This updated format makes it easier to quickly identify and find the variables. The Scope column would be redundant in the input and output variables tables, so it’s been removed to free up space for other information. Now the variables are listed alphabetically within their tables. The order of the variables is retained when execution of the workflow is initiated and in the JSON when the workflow is exported. To delete a variable from its table, hover over the row of the variable and click the trash can icon.	Workflow Editor
Default targets	Added a new Custom Security Events APIs target.	Default Targets
Integration targets	Added a new Microsoft Sentinel integration target.	Targets Created From Integrations
Atomic actions	Added three new atomic actions: Microsoft Sentinel - Get Incident by ID Microsoft Sentinel - Get Table Schema Microsoft Sentinel - List Incidents Microsoft Sentinel - Run Query Microsoft Sentinel - Send JSON Event for Ingestion	Atomic Actions
Help update	Removed the "Proxy settings provided in this section will override suite admin proxy settings if they were set” note from Step 8 in the HTTP Endpoint Target topic.	HTTP Endpoint Target

Assets

Feature	Description	Help Topic
FQDN added to Devices table	The FQDN (fully qualified domain name) is now an available column in the Devices table. Click the (Settings) icon to open the Select columns drawer and check the FQDN check box to display the column in the table. This data is usually provided by the Orbital or Secure Endpoint integrations.	Devices
Used devices update	Devices included in the Used Devices column in the Users table, the Devices section of the User Details drawer, and the Devices card on the User Details page now open the Device Details drawer to provide a summary of the selected device’s information.	Users User Details
Help updates	The following updates have been made to the Help: Added the FQDN to the View Summary of Device Details in Drawer section of the Devices topic. Updated screenshots in the Devices, Users, and User Details topics to align with the UI.	Devices Users User Details

Feature

Description

Help Topic

FQDN added to Devices table

The FQDN (fully qualified domain name) is now an available column in the Devices table. Click the (Settings) icon to open the Select columns drawer and check the FQDN check box to display the column in the table. This data is usually provided by the Orbital or Secure Endpoint integrations.

Devices

Used devices update

Devices included in the Used Devices column in the Users table, the Devices section of the User Details drawer, and the Devices card on the User Details page now open the Device Details drawer to provide a summary of the selected device’s information.

Users

User Details

Help updates

The following updates have been made to the Help:

Added the FQDN to the View Summary of Device Details in Drawer section of the Devices topic.
Updated screenshots in the Devices, Users, and User Details topics to align with the UI.

Devices

Users

User Details

Client Management

Feature	Description	Help Topic
New XDR Forensics profile and module	The XDR Forensics profile is now included as a default profile for Cisco XDR, and the XDR Forensics module is now available for deployments. XDR Forensics enables you to acquire forensic data and launch a remote shell from assets within an incident.	XDR Forensics Create Deployment Profiles
Help updates	The following updates have been made to the Help: Added the XDR Forensics module to the Create Deployment and Deployment Management topics. Added the XDR Forensics profile to the Default Profiles section of the Profiles topic.	Create Deployment Deployment Management Profiles

Feature

Description

Help Topic

New XDR Forensics profile and module

The XDR Forensics profile is now included as a default profile for Cisco XDR, and the XDR Forensics module is now available for deployments. XDR Forensics enables you to acquire forensic data and launch a remote shell from assets within an incident.

XDR Forensics

Create Deployment

Profiles

Help updates

The following updates have been made to the Help:

Added the XDR Forensics module to the Create Deployment and Deployment Management topics.
Added the XDR Forensics profile to the Default Profiles section of the Profiles topic.

Create Deployment

Deployment Management

Profiles

Administration

Feature	Description	Help Topic
Help updates	The following updates have been made to the Help: Added the following tasks to the Roles topic: View incident Evidence, Acquire forensic evidence, Remote shell - read commands, and Remote shell - write and execute commands under Incidents and Launch XDR Forensics under Investigate.	Roles

Feature

Description

Help Topic

Help updates

The following updates have been made to the Help:

Added the following tasks to the Roles topic: View incident Evidence, Acquire forensic evidence, Remote shell - read commands, and Remote shell - write and execute commands under Incidents and Launch XDR Forensics under Investigate.

Roles

Integrations

Feature	Description	Help Topic
Microsoft Sentinel application added to Microsoft Cloud integration	The new Microsoft Sentinel application has been added to the Microsoft Cloud integration on the Integrations page. Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution. When you add the Microsoft Sentinel integration into Cisco XDR, it enables Sentinel usage in Cisco XDR Automation for out-of-box and custom workflows, including the ability to export Cisco XDR incidents into Sentinel for seamless visibility spanning both products.	Cisco and Third-Party Integrations and Supported Capabilities Microsoft Sentinel Integration

Feature

Description

Help Topic

Microsoft Sentinel application added to Microsoft Cloud integration

The new Microsoft Sentinel application has been added to the Microsoft Cloud integration on the Integrations page. Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution. When you add the Microsoft Sentinel integration into Cisco XDR, it enables Sentinel usage in Cisco XDR Automation for out-of-box and custom workflows, including the ability to export Cisco XDR incidents into Sentinel for seamless visibility spanning both products.

Cisco and Third-Party Integrations and Supported Capabilities

Microsoft Sentinel Integration

Release Notes for Cisco XDR 2.52

New Features and Updates

Previous Release Notes