Release Notes for Cisco XDR 2.18

Getting Started

No new customer-facing features or updates in this release.

Control Center

No new customer-facing features or updates in this release.

Incidents

Feature	Description	Help Topic
Playbook Short description renamed to Summary and is more accessible	The Short description in the Playbook Editor has been renamed to Summary and is now more accessible to allow you to view the full description by clicking the more link. You can then click the less link to collapse the description.	Playbook Editor
Help updates	The following updates have been made to the Help: Playbook Editor - updated screenshots to reflect more accessibility to Summary; Short description changed to Summary.	Playbook Editor

Feature

Description

Help Topic

Playbook Short description renamed to Summary and is more accessible

The Short description in the Playbook Editor has been renamed to Summary and is now more accessible to allow you to view the full description by clicking the more link. You can then click the less link to collapse the description.

Playbook Editor

Help updates

The following updates have been made to the Help:

Playbook Editor - updated screenshots to reflect more accessibility to Summary; Short description changed to Summary.

Playbook Editor

Investigate

No new customer-facing features or updates in this release.

Intelligence

No new customer-facing features or updates in this release.

Automate

Feature	Description	Help Topic
Publish to Exchange	You can now share the workflows in your tenant with other users of Exchange by submitting a request to publish to Exchange. When you create a new or edit an existing workflow and validate it, you have the option to submit it to Exchange. Once it is reviewed and approved, the workflow or update to an existing workflow is published and available to install and use by everyone through Exchange.	Publish to Exchange
Authorship types	The ability to search and filter workflows by authorship type has been added to the Exchange page.	Exchange
Duplicate a workflow	You can now easily duplicate a system workflow like any other workflow.	Duplicate a Workflow
Large String variable	Functionality for the Large String variable has been improved. The Execute Python Script activity can now support the use of the Large String variable.	Large String Variable
Help updates	The following help topics have been updated: Activity, Core, JSONPath Query - Added guideline about failing the workflow. Activity, Logic, Condition Block - Added guideline about concrete answers in branches to activity questions. Activity, Logic, For Each - Added guideline about naming the entity. Create a Workflow - Added a step about submitting a request to publish to Exchange. Workflow Intent - Added information to incident response about workflow result properties and elaborations to pivot menu and automation rule intents. Workflow Best Practices - New topic. Workflow Editor - Added a description of using the Share option to submit a workflow to Exchange. Publish to Exchange - New topic. Exchange - Added descriptions of the new Authorship Type pull-down list and new Submissions table for publishing to Exchange. Execute Python Script - Added guidelines and best practices. Targets Created From Integrations - Added a new target for PagerDuty and Secure Malware Analytics. Workflow Variables - Added information for workflow result properties.	JSONPath Query Condition Block For Each Create a Workflow Workflow Intent Workflow Best Practices Workflow Editor Publish to Exchange Exchange Execute Python Script Targets Created From Integrations Workflow Variables

Assets

No new customer-facing features or updates in this release.

Client Management

No new customer-facing features or updates in this release.

Administration

Feature	Description	Help Topic
New third-party integrations added to the Integrations page	The following new third-party integrations have been added to the Third-Party tab on the Integrations page: PagerDuty - The PagerDuty Operations Cloud is the platform for mission-critical, time-critical operations work in the modern enterprise. Through the power of AI and automation, it detects and diagnoses disruptive events, mobilizes the right team members to respond, and streamlines infrastructure and workflows across your digital operations. The Operations Cloud is essential infrastructure for revolutionizing digital operations to compete and win as a modern digital business. Enabling this integration in Cisco XDR will make the PagerDuty REST and Events APIs available as targets for Automation workflows. Workflows can be used to do things like send a page through PagerDuty when Cisco XDR incidents are generated. Red Sift Pulse - Red Sift Pulse provides IP, hostname, and domain-based threat intelligence to Cisco XDR users to aid swift identification and remediation of phishing and impersonation attacks. By leveraging Red Sift OnDMARC’s email security capabilities, Red Sift Pulse gives security teams complete visibility into and control over what’s happening across their email-sending infrastructure. For example, it constantly monitors and discovers new domains and subdomains, ingests spam trap emails, and detects unauthenticated emails and malicious IPs. This is a Cisco Verified integration and it enables enriched threat intelligence, augmented threat response, and scalable remediation efforts.	Cisco and Third-Party Integrations and Supported Capabilities Third-Party Integrations
Help updates	The following updates have been made to the Help: Updated the tooltip for the Secure Email Threat Defense integration in the Cisco and Third-Party Integrations and Supported Capabilities topic. Updated the Notifications topic with a new screenshot to align with the UI.	Cisco and Third-Party Integrations and Supported Capabilities Notifications

Feature

Description

Help Topic

New third-party integrations added to the Integrations page

The following new third-party integrations have been added to the Third-Party tab on the Integrations page:

PagerDuty - The PagerDuty Operations Cloud is the platform for mission-critical, time-critical operations work in the modern enterprise. Through the power of AI and automation, it detects and diagnoses disruptive events, mobilizes the right team members to respond, and streamlines infrastructure and workflows across your digital operations. The Operations Cloud is essential infrastructure for revolutionizing digital operations to compete and win as a modern digital business.

Enabling this integration in Cisco XDR will make the PagerDuty REST and Events APIs available as targets for Automation workflows. Workflows can be used to do things like send a page through PagerDuty when Cisco XDR incidents are generated.

Red Sift Pulse - Red Sift Pulse provides IP, hostname, and domain-based threat intelligence to Cisco XDR users to aid swift identification and remediation of phishing and impersonation attacks.

By leveraging Red Sift OnDMARC’s email security capabilities, Red Sift Pulse gives security teams complete visibility into and control over what’s happening across their email-sending infrastructure. For example, it constantly monitors and discovers new domains and subdomains, ingests spam trap emails, and detects unauthenticated emails and malicious IPs.

This is a Cisco Verified integration and it enables enriched threat intelligence, augmented threat response, and scalable remediation efforts.

Cisco and Third-Party Integrations and Supported Capabilities

Third-Party Integrations

Help updates

The following updates have been made to the Help:

Updated the tooltip for the Secure Email Threat Defense integration in the Cisco and Third-Party Integrations and Supported Capabilities topic.
Updated the Notifications topic with a new screenshot to align with the UI.

Cisco and Third-Party Integrations and Supported Capabilities

Notifications

Ribbon and Pivot Menu

Feature	Description	Help Topic
Copy Defang Value in Pivot menu	The new Copy defanged value menu option has been added to the Pivot menu. This appends a square bracket to the last period or colon in an IP address, URL, domain name, or email address when you copy an observable value from the Pivot menu. For example, the defanged value of 216.238.85.220 is 216.238.85[.]220. This ensures that the observable value is copied as an inactive link, preventing you from accidentally clicking a malicious link when you paste it for later use elsewhere.	Pivot Menu
Defang on Copy toggle setting in ribbon	The new Pivot Menu has been added to the left navigation pane on the Settings page in Cisco XDR ribbon. The Defang on Copy toggle in the Pivot Menu setting is off by default. Click the toggle to on to remove the Defang on Copy menu option from the Pivot menu and the existing Copy value menu option will update to copy the observable value as a defanged value.	Configure Ribbon Settings

Resources

Feature	Description	Help Topic
Help updates	The new PagerDuty and Red Sift integrations have been added to the Third-Party Integrations topic.	Third-Party Integrations

Release Notes for Cisco XDR 2.18

New Features and Updates

Previous Release Notes