Skip to main content

Release 25.3.1

Platform Updates

Microsoft Defender for Endpoints and SentinelOne Integration (Visibility)

What to expect: Xshield now integrates with both Microsoft Defender for Endpoints and SentinelOne, providing enriched visibility and classification of assets directly within the Xshield platform. These integrations ingest endpoint telemetry—including device classification, threats, and communication flows—from Defender and SentinelOne-managed assets, enabling security teams to visualize endpoint behavior and traffic patterns without the need for additional agents.

Operators can:

  • Leverage the existing EDR solution to classify the assets and gather telemetry which makes it easier to manage and correlate endpoint network information
  • Eliminates the need to deploy an additional agent which improves the speed at which assets are onboarded
  • Classification of assets which enhances the visibility of the network events, asset status, security posture such as port vulnerabilities & CVE information
  • Generate reports which help tracking the security gaps, scope of improvement and showcase security compliance
  • Perform informed segmentation based on endpoint context

Why this matters: These integrations bridge the gap between endpoint and network security by leveraging telemetry from widely deployed endpoint protection platforms—without requiring new agents or overhead. By using the existing Microsoft Defender and SentinelOne deployments, Xshield enables faster deployment, more accurate policy decisions, and enhanced threat visibility. This low-friction approach empowers security teams to reduce risk, monitor compliance, and enforce Zero Trust policies more effectively.

⚠️Note: Enforcement support for both Microsoft Defender and SentinelOne integrations will be available in future releases.

Introducing Gen AI Navigator in ColorTokens Xshield

What to expect:

  • AI-Powered Threat Mapping and Real-Time Policy Recommendations Navigator ingests continuous threat intel from CISA advisories, MITRE, vendor alerts and CVE feeds to automatically correlate policies and suggests segmentation policies tailored to your environment and asset flows when requested by operators. The only platform marrying threat intel and segmentation.

  • Streamlined Onboarding and Ramp-Up Xshield operators are guided by in-app real time conversational guidance in plain English and interactive “show-me-how” walkthroughs which cut onboarding time from 3–5 days to within minutes.

  • Embedded Conversational Chat A product-aware AI chat assistant eliminates the need to hunt information through PDFs, documents or webinars, offering instant and accurate answers based on the current product state.

Why it matters

  • Aligns Security to Real-World Threats Segmentation is no longer just "good hygiene" - it’s now tightly mapped to live attack vectors, helping teams respond faster and with more precision.

  • Drives Operational Efficiency and risk reduction Operators can make faster, more informed decisions and significantly improve overall security posture. Reduces the median time required to complete tasks and increases First-attempt task success rates. Reduced need to contact support as operators self-serve with AI help.

⚠️ Note: Currently, the Gen AI Navigator is available only for the SaaS based Xshield Platforms. It will be supported for OnPremise deployments at a future time.

Threat Intelligence - Dynamic blocking of malicious IPs (Linux Only)

What to expect: Xshield Platform now supports dynamic blocking of malicious IPs. This feature can be enabled or disabled on each asset. The malicious IP list is updated using threat intelligence from a third party provider. When enabled, the agent automatically receives the IP list and blocks the communication to and from the malicious IPs and reports them in the Xshield platform whether the communication was blocked due to malicious IPs or due to block templates, ensuring real-time protection with minimal system overhead. Currently this is only supported on Linux agents.

Why this matters: Previously, blocking malicious IPs required manual configuration of firewall rules, which was time-consuming and error-prone. This feature provides a more efficient and automated way to block malicious IPs, reducing the need for manual intervention and improving security posture.

RBAC - Audit Role

What to expect: A new Audit role has been introduced in Xshield’s Role-Based Access Control (RBAC) framework. This role allows users to view system logs, asset activity, security events, and policy configurations—without permission to make any changes. Audit users gain access specifically to Monitor > Logs, ensuring visibility into operational and security events.

Why this matters: Previously, users who needed audit-level visibility had to be assigned broader operator roles, inadvertently giving them permissions to modify critical policies or configurations. This introduced unnecessary risk and violated the principle of least privilege. With the new Audit role:

  • Organizations can enforce separation of duties, a key compliance and security best practice.
  • Security analysts, auditors, or compliance personnel can perform investigations or reviews without risk of accidental or unauthorized changes.
  • Helps tighten access controls, reducing the potential for insider threats and configuration drift. This update enhances security posture, governance, and accountability across the platform—without compromising on operational transparency.

Improvements to Breach Response and Quarantine

What to expect: Operators can move the Assets from one Breach Response Level to another without the need to take the asset out of Quarantine mode.

Why this matters: Previously, operators had to take assets out of Quarantine mode to change their Breach Response Level, which could pose a security risk. With this update, operators can now change the Breach Response Level of assets while they remain in Quarantine mode, providing a more secure and controlled environment.

Test mode violations reported in events

What to expect: Test mode violations will now be reported as events, Operators can setup alert rules for these events.

Why this matters: Test mode violations being reported as events allow real-time alerting and better visibility into misuse or misconfigurations. This helps operators respond quickly, maintain compliance, and automate incident handling.

Appliance Updates

Ordr OT Integration

What to expect: Xshield now offers seamless integration with Ordr, empowering operators with deep visibility and control over Operational Technology (OT) and IoT environments. Through this integration, Xshield ingests rich device intelligence from Ordr—including asset classification, threat intelligence, and vulnerability data—enabling users to:

  • Automatically discover and classify OT and IoT assets
  • Use Ordr’s insights to drive precise segmentation and Zero Trust policy decisions
  • Enhance threat detection and response across hybrid IT/OT infrastructures

Why this matters: Traditional IT security tools often lack context and visibility into OT environments, creating blind spots that attackers can exploit. This integration addresses that gap by:

  • Providing a complete view of all connected devices, including unmanaged or legacy OT systems
  • Helping security teams identify vulnerabilities early and prioritize them based on real-world risk
  • Supporting compliance efforts by offering actionable insights into asset behavior and policy alignment
  • Enables proactive segmentation to minimize lateral movement and reduce breach impact in critical environments

With Ordr + Xshield, organizations can now secure their OT assets with the same confidence as IT, strengthening overall cyber resilience and operational uptime.

Agent Updates

Docker Detection & Co-Existence Alerts

What to expect: The Xshield Agent now automatically detects Docker environments running on assets. Upon detection, it generates a log entry under Monitor > Logs, alerting users of Docker's presence and the need to enable co-existence mode.

This early warning ensures users are notified before micro-segmentation policies are enforced—helping avoid unintentional overwriting of Docker-managed firewall rules.

⚠️ Note: The agent does not auto-enable co-existence, but provides clear visibility so users can take action.

Why this matters: Enforcing segmentation without recognizing Docker can disrupt running services by unintentionally modifying firewall rules that Docker depends on. This enhancement:

  • Prevents accidental service outages caused by policy enforcement conflicts
  • Ensures critical containerized workloads remain operational
  • Gives teams the visibility they need to configure co-existence in time
  • Supports a more reliable and production-safe rollout of Xshield in environments using Docker

With this update, Xshield helps you secure workloads without compromising container functionality, delivering safer deployments and better operational continuity.

Support for Oracle Linux 6.9

What to expect: Xshield now officially supports Oracle Linux 6.9, enabling full functionality of its security features on this legacy operating system.

Why this matters: Previously unsupported, Oracle Linux 6.9 systems were excluded from Xshield’s protection capabilities—creating blind spots in environments running older workloads. With this update:

  • Organizations can now secure legacy infrastructure alongside modern platforms
  • Consistent policy enforcement and visibility are maintained across the entire server fleet
  • Helps meet compliance requirements where older systems are still operational

This update ensures that even legacy systems benefit from Xshield’s Zero Trust protection and segmentation controls — closing gaps and improving overall security coverage.

UI/UX Updates

Ability to search for CVE-ID in the facets and filters

What to expect: The CVE-ID filter in Xshield now supports direct search by CVE ID, allowing users to quickly locate and filter assets impacted by specific vulnerabilities.

Why this matters: Previously, users had to scroll through a dropdown to select CVEs, which made it time-consuming to find specific entries—especially in large environments. With this enhancement:

  • Users can instantly search and filter by known CVE identifiers (e.g., CVE-2024-1234)
  • Faster vulnerability triage and response becomes possible
  • Improves usability and efficiency when tracking exposure to high-profile or actively exploited CVEs

This update helps security teams respond more precisely and efficiently during patching cycles or when addressing urgent threat intelligence.

Vulnerabilities for each port in the ports page

What to expect: The Ports page in Xshield now includes a new column, Port Vulnerabilities, which displays known vulnerabilities associated with each port, if any exist.

Why this matters: Previously, security teams lacked direct visibility into vulnerabilities tied to specific open or exposed ports. This created blind spots in assessing risk from network services. With this update:

  • Users can instantly identify vulnerable ports across the environment
  • It enables faster, more targeted remediation efforts
  • Enhances situational awareness by linking service exposure to known threats

By correlating port-level activity with real-time vulnerability data, this feature strengthens security posture and improves prioritization in vulnerability management workflows.

Navigation Bar - EDR Groups

What to expect: Xshield has refined its navigation experience by introducing a new “EDR Groups” tab, replacing the previous “Host Groups” tab. This tab will appear only when at least one EDR integration is enabled, and its submenu will dynamically display only the EDR platforms currently in use.

Why this matters: As Xshield continues to expand support for multiple EDR solutions, the traditional “Host Groups” view became increasingly generic and less efficient for EDR-centric workflows. With this update:

  • Navigation is streamlined and context-aware, showing only relevant EDR groupings
  • UI clutter is reduced, especially in environments with multiple integrated tools
  • Operational efficiency improves, allowing security teams to quickly access and manage assets based on their respective EDR platforms
  • It reinforces clarity and alignment with existing toolsets, making segmentation and policy management more intuitive

This enhancement delivers a cleaner, more adaptive user experience—tailored to how modern security teams operate with EDR integrations.

Xshield Utility

Added new functions to xshield utility:

  • Support for creating named network with range of ip subnets
  • Support for collecting unique vulnerabilities across tenant
  • Update of install script for xshield utility
  • Cross platform support for creating and running Jupyter notebooks

Resolved Issues

  • Problem: TCP Half Open connection is being captured and shown on Xshield Tenant.
    Resolution: The agent captures sessions upon seeing a SYN and SYN-ACK, even if the handshake isn't completed. The issue is fixed in this release to avoid reporting of incomplete TCP handshakes as valid channels.

  • Problem: When a device moves between gatekeepers from different HA groups, there is a device association discrepency across Gatekeepers.
    Resolution: The platform ensures the new gatekeeper takes ownership by updating the agent ID and triggering asset deletion on the old gatekeeper.

  • Problem: Named Network gets deleted even if it is configured in a template.
    Resolution: Fixed by adding a validation check to prevent deletion of Named Networks that are configured in templates.