Minor Releases - Release Notes - 6.8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Release Notes
Product
Cortex XSOAR
Version
6.8
Creation date
2022-09-02
Last date published
2023-07-02
End_of_Life
EoL
Category
Release Notes

Cortex XSOAR Minor Release

Release Date

Cortex XSOAR 6.8.0 (B176620)

November 15, 2022

Cortex XSOAR 6.8.0 (B3261002)

July 17, 2022

For details how to download and install the latest version, see Upgrade the Cortex XSOAR Server.Upgrade the Cortex XSOAR Server

Cortex XSOAR 6.8.0 (B176620)

Cortex XSOAR 6.8.0 (B176620) is a maintenance release that delivers the following new features, breaking changes, and bug fixes:

New Features

  • The release notes build number has changed, so it now starts with B17x.

  • The SSO endpoint for Marketplace has been updated. You no longer need to add a server configuration to access Marketplace for paid content packs.

  • (Multi-tenant) When syncing to the tenant, you can now add or remove incident field propagation labels to determine whether incident fields are propagated.

Breaking Changes

In a playbook, when adding a formatted JSON string onto separate lines into the Labels input field in the CreateNewIncident task, the task stopped on error. For example,

You can now add the following server configuration:

Key: fields.labels.json.escape.linebreak

Value: false

Changing this to false may cause backward compatibility errors, as you cannot have JSON string literals that are multi-line.

Fixed Issues

  • When using a remote repository, it sometimes took a long time to load the local changes.

  • If you paused a playbook when it was running a sub-playbook and it was not executing the last task in that sub-playbook, the playbook would not resume when you clicked Resume a playbook (play button).

  • When running a playbook, tasks were sometimes marked as completed by random users in the War Room. You can now add the following system configuration, which resolves the issue: server.mail.listener.suppress.user.mail.check : false.

  • When writing an automation that called a system automation, the container running the system automation would run the commonUserPython even though it was disabled by a configuration file.

  • When an incident had an attachment resulting from a data collection task, the attachment could not be downloaded from the incident layout.

  • In some cases, reports in CSV format contained a newline character at the end of the incident name.

  • In the integration Settings page, timeout errors occurred when migrating settings from development to production environments.

  • An empty chart was displayed in the Dashboard when using a custom widget with a custom time field in group by and decreasing the time increment from days to hours or less.

  • In some cases, when creating a widget for a single day and configuring the Group by to Date Occurred, the results were split over two days.

  • When a pre-processing rule ran a script that searched for incidents, incidents in the temp index were not found.

  • Sometimes indicators extracted from field values were not marked in the War Room field entry, but displayed ^^^ characters instead.

  • The indicator description field did not display data for indicator objects after changing the custom field type.

  • Indicator Extraction was performed even when the task was set to Quiet Mode.

  • In some cases, jobs ran repeatedly at short intervals, instead of on the job schedule.

  • When opening very large playbooks, the UI became slow and unresponsive.

  • When Cortex XSOAR was upgraded to v6.6 or later, the playbook.willnotexecute.old.eval server configuration was set to true.

  • If a key in context data had the same name as a playbook task, when the task ran, the value of the key was populated in the Work Plan instead of the task name.

  • When a playbook was running in debugger mode, any artifacts that were created could not be downloaded.

  • In some cases, when a sub-playbook input was shared across multiple tasks in that sub-playbook, a concurrent map read-write error caused the Cortex XSOAR server to crash.

  • In some cases, when opening a sub-playbook after processing an incident, the sub-playbook tab would hang on loading.

  • In some cases, when running playbooks, they did not always complete and some tasks showed incorrect information, due to a cache issue.

  • When running the playbook debugger, if you attempted to use the setPlaybook automation, the playbook did not continue to run. The setPlaybook automation is not supported within the playbook debugger. An error is now displayed with this information.

  • When clicking Ask by in a data collection task, nothing happened.

  • When clicking on a link in an email from a data collection task in a playbook, sometimes data was missing from the data collection form.

  • In some cases, playbook error handling did not work as selected. When the Continue or Continue on error path(s) options was selected, a failed task was marked as successful and the next task continued along the main path and not on the error path.

  • After a service restart, the playbooks that were previously in a running state did not continue running when there were more than 50 incidents.

  • In some cases, when opening a sub-playbook after processing an incident, the sub-playbook tab would hang on loading.

  • When the getUsersByUsername command returned multiple roles, all of the roles were returned under key Role.0, instead of as separate keys - Role.0, Role.1, Role.2, etc.

  • In rare cases, after re-indexing a database, the indexing configurations for fields were distorted, causing queries to return the wrong results for historical data.

  • When using the !createNewIndicator command with the merge=false argument, if the indicator value already existed in the database it was duplicated instead of being overwritten.

  • When you purged large Work Plans through either the System Diagnostics page or the API, an error was returned, even though the Work Plan was purged.

  • The no_proxy server configuration in Cortex XSOAR was not passed to command/container runs in Docker/Podman.

  • (Hosted Service) The System Diagnostics page displayed incorrect information for Hosted Service limits.

  • (High Availability) In some cases, daily jobs were running multiple times a day, once on each App server.

  • (High Availability) When trying to assign comments from the War Room to tasks, in some cases an error was returned.

  • (Multi-tenant) When using Elasticsearch, there was an issue when fetching lists using the {lists.XXX} resolver.

  • (Multi-tenant) The host waited for all accounts to start before the host would start.

  • (Multi-tenant) After configuring a DUO integration to authenticate login, DUO authentication failed when logging into Cortex XSOAR.

  • (Multi-tenant with High Availability) When an account was created on one host, errors related to that account appeared on other hosts.

  • (Elasticsearch) When configuring an incoming mapper, incident fields were not sorted alphabetically, after migrating from Boltdb to Elasticsearch.

  • (Elasticsearch) In Elasticsearch, template creation requests were sent too many times.

  • (Elasticsearch) When closing an investigation, the Incidents I own and Incidents I participated in sections in the sidebar were blank, when the page refreshed.

  • (Elasticsearch) A job that queried many playbooks could crash Elasticsearch.

  • (Elasticsearch) The closeNotes field was not searchable.

  • (Elasticsearch) There was no option to disable large or unqueried fields in Elasticsearch.

  • (Elasticsearch) Many empty requests were sent to the Elasticsearch database causing slow performance.

  • (Elasticsearch) If elasticsearch.maxContentLength was set by the user in the demisto.conf file, the value was not applied and the value of http.max_content_length from the Elasticsearch settings was used instead.

Installation file hash:8c5d9f93e595b482c76397313d096e9c9f6dacdff74aab721be99b405230abc1

Cortex XSOAR 6.8.0 (B3261002)

Cortex XSOAR 6.8.0 (B3261002) is a maintenance release that delivers the following enhancements and bug fixes:

New Feature

Added the following server configuration for situations when trying to view the Related Incidents tab of a selected incident, and Cortex XSOAR is taking too long to access the data:

Key

Value

incident.cluster.query.parallel.limit

Default is 2

Note that a larger value means greater CPU/memory usage.

Enhancements

  • (Multi-tenant) Improvements have been made to multi-tenant deployments with large numbers of hosts. Cortex XSOAR no longer automatically creates all installers, and does not query offline hosts.

  • (Multi-tenant) When selecting incidents from more than one account, a message is now displayed that the selected incidents are from different accounts.

Fixed Issues

  • When creating a new incident with a slash ( /) in the name, the incident could not be edited.

  • In the Deployment Wizard Configure Playbook and Parameters task, the default main playbook sometimes changed.

  • When selecting Use this instance for external authentication only in an Active Directory Authentication integration, and then selecting Require users to authenticate in a data collection task in a playbook, the user could not log into Cortex XSOAR, and an error message appeared.

  • The Deployment Wizard was missing a note to users that the modal could not close without filling in required fields.

  • After first time installation, clicking the Deployment Wizard Fetch Integration caused an error.

  • After upgrading to Cortex XSOAR 6.8, in some cases, if using Live Backup, the server repeatedly restarted and users were unable to access the UI.

  • In some cases, the Cortex XSOAR server restarted due to a concurrency error.

  • In the Deployment Wizard, the default incident type was detached when the wizard steps were completed.

  • In the playbook editor with multiple tabs open, long playbook names did not display correctly.

  • Indicators that were changed or created in the last day of any month were not expired.

  • Recurring scheduled tasks caused the server to crash.

  • Although some sub-playbook tasks progressed in the server, they did not appear, unless when refreshing the page.

  • After creating a new field and adding it to all incident types, the field did not appear on the New Incident form.

  • When viewing an incident, if you viewed the Incident/Case Info tab, switched to a different tab, and then returned to the Incident/Case Info tab, the incident name no longer appeared in the tab header.

  • In the Incidents page, if no incidents were returned in a search, clicking the How to search in Cortex XSOAR link did not go to the correct page.

  • When creating a playbook and then navigating to the Manual Tasks tab from the Task Library window, the tab did not load.

  • In some cases, customers with a TIM only license were not able to run Cortex XSOAR operations.

  • In some cases, scheduled jobs caused the server to hang.

  • (Live Backup) In some cases, due to a golang concurrent map read/write error, the Cortex XSOAR server would restart.

  • ( Remote Repository) If there were conflicts between the development and production machines, clicking on the Resolve Conflicts button led users to a blank page and conflicts could not be resolved.

  • ( High Availability) In some cases, some web services message data was empty when sent from one app server to another.

  • ( High Availability) In some cases, when an app server ran a playbook, a user looking at the investigation while connected to a different app server did not see updated task information.

  • ( Multi-tenant) Accounts on remote hosts would sometimes enter deactivated mode.

  • ( Multi-tenant) Cortex XSOAR failed when there were timeouts from a large number of hosts.

  • ( Multi-tenant) In some scenarios, the host deleted all of its local users. This triggered all users to be deleted from the host’s accounts as well, along with their related API keys, preventing any access to those accounts.

  • (Multi-tenant) When exporting custom layouts from a main account, the files were truncated to 32 KB and could not be used.

  • ( Multi-tenant with High Availability) In some cases, an empty high availability group remained in the database, causing panics.

Installation file hash: ce9c38e7c5d6e7d03cd0d5cf4ebdc4c001a877f586bfca2619af14c4ab2aabe4