New Features

The following new features are categorized by product component.

Threat Intel Management

Threat intel management
Threat intel management capabilities are designed to ingest, process, and export a large amount of indicators, further automating your security ecosystem. By default, the threat intelligence management infrastructure runs on the internal database. We recommend that you migrate your indicators to a dedicated Elasticsearch database.
Full threat intel management capabilities requires a separate license.
Threat intel feeds
Cortex XSOAR now has several threat intelligence feed integrations, both generic and vendor-specific that fetch indicators according to a specified query, which enable you to automate threat intelligence management.
Cortex XSOAR ingests and processes indicator sources from these threat intel feeds and exports the enriched intelligence data to SIEMs, firewalls, and other systems.
Elasticsearch database
You can now store indicators, and indicator data, in a dedicated Elasticsearch index. Use the tool to migrate existing indicators to the Elasticsearch index.
Export indicators
You can export indicators to a file, an EDL, or as a TAXII service to update your SIEM, proxy server, and firewall.
Share indicators
You can now share indicators between tenant accounts in an Elasticsearch index. You can define which local indicators to export from a tenant to a shared indicator index. On the master account, you can define which indicators are pushed to shared tenant accounts.
enrichIndicators command
Added the enrichIndicators command, which supports enriching all indicator types.


Skip a playbook task when an integration or automation is unavailable
You can skip a playbook task, or branch when an integration is unavailable or disabled. If the playbook contains a task or branch which contains an unavailable or disabled integration, the task is ignored and the playbook continues to execute, otherwise the playbook fails.
To enable this feature for a task, select the
Skip this branch...
check box in the
section of the playbook task.
Improve loop performance
When defining a loop in a sub-playbook, you can now determine the number of times the loop runs and the amount of time to wait between each time it runs.
Ignore outputs
You can now limit the information in the Context Data to the key-value pair you define in the Extend context field. For example, if querying certain criteria returns numerous fields, event counts, and descriptions, you may want to ignore the output that includes fields.
Quiet mode
You can configure a playbook, or playbook task, to neither display inputs and outputs, nor write information to the War Room, which substantially improves performance by increasing playbook speed and saving database size.
Outputs are still written to content. If you want to disable Outputs ensure you use the Ignore Outputs feature.
Edit sub-playbook task names
You can now edit the task name for a sub-playbook, which enables you to give a better context to the playbook.
Customize Communication Task message layout
You can now select the color of the email header, body, and buttons, as well as customize text of the message header and button text.
Run Communication tasks using an engine
You can now run communication tasks through an engine, which allows users to continue to respond to these tasks when network access to Cortex XSOAR needs to be restricted.


Action buttons on incident summary page
You can configure a Button field to include in an incident or indicator layout, which executes a script when the user clicks the button. For example, you can add a button that executes a script to add an indicator to the exclusion list.
Export custom incident types
You can export custom incident types in JSON format, as an array of incident type objects. Note that you can’t export system incident types.
Added the Created By incident field
The Created By incident field enables you to track the user that created the incident/ticket. You can add this field to the layout for any incident type.

Dashboards and Widgets

Edit a widget query
In the
Widget library
, when editing a widget, you can change and save the Data Query. This enables you to add the widget with the updated data query to a dashboard and report.
Create script-based widgets
You can create script-based widgets in the user interface by selecting
as the Data Type. This functionality was previously only available by editing a script JSON file.

User Management

Role for analyst shift management
Added the ability to define analyst shifts, which enables you to easily identify on-shift analysts for incident assignment. Shifts also help the system determine suggested analysts for incident assignment.
Enable and disable users
As an Administrator, you can enable or disable users.
Disabled users are not counted for a license.
Password policy
Set a password policy for all internal users in Cortex XSOAR. The password policy enables you to set password complexity requirements, as well as set the password expiry date and more.
Role-based bulk changes
You can configure the bulk changes users can make to incidents that are listed in the table view of the Incidents page. For each role in the Roles page of User and Roles settings, you can select the
Incident table actions
that the user can perform in bulk.
Toggle keyboard shortcuts
Each user can enable or disable the various keyboard shortcuts in Cortex XSOAR. Some keyboard layouts, such as Apple Mac, European and Asian keyboards may conflict with Cortex XSOAR shortcuts.
Command line shortcuts still work even when keyboard shortcuts are disabled.
Active Directory phone number field
The value of the Active Directory
field maps to the
Phone Number
field in Cortex XSOAR.


Workers status
You can view worker information such as the number of workers available, how many are busy, and more, by using the following REST API call:
GET /workers/status
Delete dashboards created by users no longer in the system
It is possible to delete or unshare dashboards that were created by users who are no longer in the system using the following REST API calls.
  • DELETE "/dashboards/:id"
  • POST "/dashboards/unshare/:id"
Docker container status
Cortex XSOAR exposed an API that enables you to get health information about your containers, including how many are active, inactive, and how many containers you have in total.
The API is available using:
GET /health/containers


Selective propagation
Synchronize content to tenants by using matching propagation labels on the content item and the tenant.
Dev/Prod support
You can now use the Remote Repository feature in Multi-tenant environments. This enables you to develop content on one machine, push it to the Master environment, and synchronize the content with the different tenants using propagation labels.

General Features

Add PowerShell scripting support
You can create automations and integrations using PowerShell. Cortex XSOAR supports PowerShell Core.
Tags field type
Added the Tags field type for incidents and indicator fields, which accepts a comma-separated list for its value. Once defined, you can easily search for the incident tags, such as severity, value, campaign name, and so on, as you would any other field.
Multiple file drag and drop
You can drag and drop files and images into the War Room.
Machine learning
You can now build a machine learning model through the UI, which enables Cortex XSOAR to analyze and predict behavior through incident types and fields. The model uses past incidents that have already been classified to classify incoming events automatically.
Reorder Dashboards
You can reorder the different dashboard pages using drag and drop.
Add tags and mark as evidence/note
In the Upload files dialog box, when adding a file entry to an incident, you can mark the file as evidence or a note, and add any tags, rather than upload the file and then add comments. Useful if you use numerous tags and saves time by entering the information at the point of upload.
Permanently delete files
Users with admin privileges can permanently delete files, such as sensitive data, or where files are uploaded in error, from the War Room. Permanently deleted files cannot be restored.
Navigation side bar
You can now pin the navigation side bar to the minimized position.
Batch edit indicators
In the indicators table, you can select multiple indicators and perform a batch edit. If you batch edit indicators of different indicator types, you can only batch edit the fields that are part of the default indicator layout.
Pending Tasks view
By default, the first task in the
Waiting for action
section is automatically expanded which enables you to deal quickly with the pending task and speeds up work-flows, rather than having to open the first task manually.
Indicators section for incidents
By default, the indicators section of an incident displays 100 indicators per page. You can also select the page you want to view.
Server starting message
Server is starting
page now displays at the beginning of the process. In some cases, such as re-indexing, the server might take a while to start. It’s important that you do not restart the service while the server is starting to avoid killing any active processes.
Default values for transformation script arguments
The default values for transformers’ script arguments are automatically applied in cases when they were not supplied by a user.
Custom separators
Prior to this version, you could only separate list items with a comma. You can now use custom, single character separators, for example a semicolon, to separate list items. The custom separator can be applied globally (to all lists), or on the list level.

Recommended For You