Release Notes for Cisco XDR 2.38

Release Date: March 19, 2025

New Features and Updates

Getting Started

No new customer-facing features or updates in this release.

Control Center

Feature	Description	Help Topic
Additional Integrations area added to MITRE ATT&CK^® Coverage Map page	The Sentinel One check box has been added to the new Additional Integrations area on the MITRE ATT&CK^® Coverage Map page. You can now view the tactics and techniques for SentinelOne Singularity if it is integrated in Cisco XDR. The Additional Integrations area is only displayed if you have SentinelOne Singularity integrated in Cisco XDR.	MITRE ATT&CK® Coverage Map
Updates to tactic and technique drawers on MITRE ATT&CK^® Coverage Map page	The previous Additional Cisco coverage area in the tactic and technique drawers on the MITRE ATT&CK^® Coverage Map page has been renamed to Additional coverage.	MITRE ATT&CK® Coverage Map
Card options menu update on Dashboards page	The icons have been removed from the Options menu when you click the (Ellipsis) icon in the upper right corner of a card on the Dashboards page. The previous Information, Issues, and Remove Tile menus have also been renamed to View API information, View issues, and Remove.	Dashboard and Card Settings
Customize Dashboards button renamed to Customize on Dashboards page	The previous Customize Dashboards button in the upper right corner of the Dashboards page has been renamed to Customize.	Dashboards Configure Dashboards and Cards
Help update	The following update has been made to the Help: Added a note to the Secure Endpoint Configuration Insights Drawer section on the discrepancy between the total number of endpoints displayed in Cisco XDR and Secure Endpoint.	MITRE ATT&CK® Coverage Map

Incidents

No new customer-facing features or updates in this release.

Investigate

No new customer-facing features or updates in this release.

Intelligence

Feature	Description	Help Topic
Judgments tab updates	The following updates have been made to the Judgments tab on the Intelligence page: The Delete judgment button in the Judgment Details drawer has been renamed to Delete. The disposition icons have been added to the observables displayed in the Judgments tab and the Judgment Details drawer. The Type column has been removed from the judgments table.	Judgments

Feature

Description

Help Topic

Judgments tab updates

The following updates have been made to the Judgments tab on the Intelligence page:

The Delete judgment button in the Judgment Details drawer has been renamed to Delete.
The disposition icons have been added to the observables displayed in the Judgments tab and the Judgment Details drawer.
The Type column has been removed from the judgments table.

Judgments

Automate

Feature	Description	Help Topic
Trigger Automation rules that match conditions when an incident's status changes	Now when an incident's status changes, the system will automatically check your Automation rules (Type = Incident Rule), and trigger those that match the specified conditions to execute their assigned workflows (Workflow Intent = Incident Response). Now by default, a condition is added to all rules with the Incident Rule type, and the Status property is set to match all new incidents. You can edit the rule and adjust the condition or Status value as needed.	Incident Rule
Help update	The following update has been made to the Help: Added new default targets for the Microsoft Government Community Cloud (GCC) integrations to the Targets Created From Integrations topic.	Targets Created From Integrations

Feature

Description

Help Topic

Trigger Automation rules that match conditions when an incident's status changes

Now when an incident's status changes, the system will automatically check your Automation rules (Type = Incident Rule), and trigger those that match the specified conditions to execute their assigned workflows (Workflow Intent = Incident Response).

Now by default, a condition is added to all rules with the Incident Rule type, and the Status property is set to match all new incidents. You can edit the rule and adjust the condition or Status value as needed.

Incident Rule

Help update

The following update has been made to the Help:

Added new default targets for the Microsoft Government Community Cloud (GCC) integrations to the Targets Created From Integrations topic.

Targets Created From Integrations

Assets

Feature	Description	Help Topic
Device Details drawer updates	The following updates have been made to the Device Details drawer on the Devices page: The Sources panel has been added and displays which sources provided data for this device. The Users panel has been added and displays the users seen on this device. The Characteristics panel has been added and displays whether the device is compromised, encrypted, jail broken, or supervised. The Top Vulnerabilities panel has been renamed to Vulnerabilities.	Devices
Help updates	The following updates have been made to the Help: Updated the View Summary of Device Details in Drawer section in the Devices topic to include the new panels. Updated screenshots in the Devices topic to align with the UI.	Devices

Feature

Description

Help Topic

Device Details drawer updates

The following updates have been made to the Device Details drawer on the Devices page:

The Sources panel has been added and displays which sources provided data for this device.
The Users panel has been added and displays the users seen on this device.
The Characteristics panel has been added and displays whether the device is compromised, encrypted, jail broken, or supervised.
The Top Vulnerabilities panel has been renamed to Vulnerabilities.

Devices

Help updates

The following updates have been made to the Help:

Updated the View Summary of Device Details in Drawer section in the Devices topic to include the new panels.
Updated screenshots in the Devices topic to align with the UI.

Devices

Client Management

Feature	Description	Help Topic
Cloud Management updates	A new version of cm-client(1.0.4.447) has been released with a fix related to certificate store usage on Windows to address a compatibility issue with Umbrella Encryption.	—
Help updates	The following updates have been made to the Help: Added Network Visibility Module - XDR regional API endpoints to the Create Deployment topic.	Create Deployment

Feature

Description

Help Topic

Cloud Management updates

A new version of cm-client(1.0.4.447) has been released with a fix related to certificate store usage on Windows to address a compatibility issue with Umbrella Encryption.

—

Help updates

The following updates have been made to the Help:

Added Network Visibility Module - XDR regional API endpoints to the Create Deployment topic.

Create Deployment

Administration

Feature	Description	Help Topic
Notifications update	The Email toggle is now enabled by default for Automation Approval and Incident Assignment notification types when you configure the notification settings in the Settings tab on the Notifications page.	Notifications

Integrations

Feature	Description	Help Topic
New Microsoft Government Community Cloud (GCC) integration added to the Third-Party tab on the Integrations page in the North America region	The new Microsoft Government Community Cloud (GCC) integration is now available in the Third-Party tab on the Integrations page. This new integration is available in North America region only and it allows you to manage and maintain one set of Microsoft Government Community Cloud credentials across the following Microsoft product integrations between Cisco XDR and Microsoft products: Microsoft Defender for Endpoint GCC - Microsoft Defender for Endpoint GCC is an Endpoint Detection and Response (EDR) offering. Microsoft Defender for Endpoint security events can generate and contribute to correlated incidents in Cisco XDR. In Cisco XDR, we enable Defender for Endpoint users to leverage it for incident detection functions, threat hunting and investigation features, rapid response actions to understand and defend against threats on the endpoint, and providing important device inventory context to help triage detected threats. Integration with Microsoft Defender for Endpoint GCC allows you to incorporate Microsoft Defender for Endpoint GCC detections into XDR's overall incident detection and correlation capabilities. Use the Defender for Endpoint GCC integration to search for security detections involving specific hostnames, machine IDs, IPs, and file hashes. Defender for Endpoint GCC can be used through Cisco XDR to isolate hosts from the network and block many types of observables, including file hashes, network resources (such as IP addresses, domains, and URLs), and certificates. This integration can be used to provide host information, including vulnerability information for use in triaging incidents and detections. It creates a target automatically in Automation for out-of-box workflows and it provides important device inventory context to help triage detected threats. Microsoft Defender for Office 365 GCC - Microsoft Defender for Office 365 GCC is a cloud-based email filtering service that helps protect your organization against advanced threats delivered via email and collaboration tools, like phishing, business email compromise, and malware attacks. Integration with Microsoft Defender for Office GCC allows you to incorporate Microsoft Defender for Office 365 GCC detections into XDR's overall incident detection and correlation capabilities.	Cisco and Third-Party Integrations and Supported Capabilities
Help updates	The following updates have been made to the Help: The Google Safe Browsing integration has been tested and certified by Cisco Quality Assurance labs and it has been added to the Cisco and Third-Party Integrations and Supported Capabilities topic as a supported third-party integration in Cisco XDR. Added the Crowdstrike Falcon Integration and API Void Integration topics to the Cisco XDR help. The links to the topics have been added to the table in the Cisco and Third-Party Integrations and Supported Capabilities topic.	Cisco and Third-Party Integrations and Supported Capabilities Google Safe Browsing Integration Crowdstrike Falcon Integration API Void Integration

Feature

Description

Help Topic

New Microsoft Government Community Cloud (GCC) integration added to the Third-Party tab on the Integrations page in the North America region

The new Microsoft Government Community Cloud (GCC) integration is now available in the Third-Party tab on the Integrations page. This new integration is available in North America region only and it allows you to manage and maintain one set of Microsoft Government Community Cloud credentials across the following Microsoft product integrations between Cisco XDR and Microsoft products:

Microsoft Defender for Endpoint GCC - Microsoft Defender for Endpoint GCC is an Endpoint Detection and Response (EDR) offering. Microsoft Defender for Endpoint security events can generate and contribute to correlated incidents in Cisco XDR. In Cisco XDR, we enable Defender for Endpoint users to leverage it for incident detection functions, threat hunting and investigation features, rapid response actions to understand and defend against threats on the endpoint, and providing important device inventory context to help triage detected threats.

Integration with Microsoft Defender for Endpoint GCC allows you to incorporate Microsoft Defender for Endpoint GCC detections into XDR's overall incident detection and correlation capabilities. Use the Defender for Endpoint GCC integration to search for security detections involving specific hostnames, machine IDs, IPs, and file hashes. Defender for Endpoint GCC can be used through Cisco XDR to isolate hosts from the network and block many types of observables, including file hashes, network resources (such as IP addresses, domains, and URLs), and certificates. This integration can be used to provide host information, including vulnerability information for use in triaging incidents and detections. It creates a target automatically in Automation for out-of-box workflows and it provides important device inventory context to help triage detected threats.
Microsoft Defender for Office 365 GCC - Microsoft Defender for Office 365 GCC is a cloud-based email filtering service that helps protect your organization against advanced threats delivered via email and collaboration tools, like phishing, business email compromise, and malware attacks. Integration with Microsoft Defender for Office GCC allows you to incorporate Microsoft Defender for Office 365 GCC detections into XDR's overall incident detection and correlation capabilities.

Cisco and Third-Party Integrations and Supported Capabilities

Help updates

The following updates have been made to the Help:

The Google Safe Browsing integration has been tested and certified by Cisco Quality Assurance labs and it has been added to the Cisco and Third-Party Integrations and Supported Capabilities topic as a supported third-party integration in Cisco XDR.
Added the Crowdstrike Falcon Integration and API Void Integration topics to the Cisco XDR help. The links to the topics have been added to the table in the Cisco and Third-Party Integrations and Supported Capabilities topic.

Cisco and Third-Party Integrations and Supported Capabilities

Google Safe Browsing Integration

Crowdstrike Falcon Integration

API Void Integration

Ribbon and Pivot Menu

No new customer-facing features or updates in this release.

Resources

No new customer-facing features or updates in this release.

Previous Release Notes

To view the Release Notes for previous releases, see Previous Release Notes for Cisco XDR.