End-of-Life (EoL)

New Features

The following new features are categorized by product component.


Cortex XSOAR Marketplace is the central location for installing, exchanging, contributing, and managing all of your content, including playbooks, integrations, automations, fields, layouts, and more.The Marketplace allows you to easily:
  • Leverage content from the largest SOAR community: Continuously extend Cortex XSOAR with proven use-cases contributed by SecOps users and SOAR partners.
  • Discover top rated, validated content: Identify the best premium and free content offerings recommended by your peers and validated by the world’s leading cybersecurity company. Discover how to increase automation with the tools that you already have and browse through community best practices.
  • Solve your toughest security use-cases: Deploy turn- key security workflows that span integrations, playbooks, dashboard layouts, and reports with a single click.
The essence of the Marketplace is to build a strong community with other security professionals by easily exchanging content. You can explore the latest trends from Cortex XSOAR and other contributors and test drive use cases all within your Cortex XSOAR platform.
To login to the Marketplace, download paid Content Packs, comment and rate both paid and free Content Packs you need a new Cortex XSOAR license (for new installations and upgrades to this version).

Threat Intel Management

These features do not require a threat intel management license, they are available to all Cortex XSOAR users.
Indicator quick view layout
Added the ability to edit the quick view layout for indicators.
expireIndicators command
Added a built-in command to expire indicator(s) manually or in a batch command. It changes the Expired status for one or more indicators. You can use this command for an action button in the indicator summary view or as an automation script.
setIndicator command
Added ability to run the
built-in command in a batch command.
Adds one or more indicators to the Exclusion List.
Updates the properties for one or more indicators. You can update the following properties: reputation, type, values, fields, and expiration (in addition to all indicator custom fields).
Associates a single indicator to the specified incident.
Associates multiple indicators to the specified incident.
Removes a single indicator from the specified incident.
Removes multiple indicators from the specified incident.

Case Management

Classification and mapping
Classification and mapping has been revamped and includes the following improvements and highlights:
  • Classifiers and Mappers are no longer connected to one another. Classifiers are used to determine how an incoming incident or indicator is classified, and mappers determine how the fields iare mapped, as separate entities.
  • The mapping mechanism was changed so you are creating a default mapping for the common fields in all of the incidents, which means that you only have to create specific mappings in the other incident types for fields that are specific to each incident type.
  • You can automatically map fields based on the machine learning model, which maps fields of the same or similar names from 3rd-party integrations into fields in Cortex XSOAR.
  • There are now mappings for incoming incidents and for outgoing feeds that push information to other products.
  • You can create a mirrored connection with other applications, which enables you to update information for an incident in Cortex XSOAR and the information will be updated automatically in the 3rd-party application, and vice versa.
Filters and Transformers
Filters and transformers in a playbook and when mapping an instance have been improved and includes the following:
  • Filter multi-level objects as required. Cortex XSOAR calculates automatically the object root to filter.
  • View the object root level to filter.
  • Change the object root level to filter, as required.
Playbook task to use default instance
Added the
server configuration, which enables you to specify which integration instance to use to execute commands in playbook tasks. When set to true, only integration instances that do not have the
Do not use by default
checkbox selected will be used to execute the command. If the playbook task specifies an integration instance with the Using argument, only the specified integration instance will be used.
Dynamic options for Data Collection tasks
When defining a Data Collection task for a playbook, you can use transformers and filters, which presents dynamic options for the person completing the task.
Include task outputs in field mapping
Outputs from previous tasks are available as Field Mapping options for playbook tasks.
Propagate layouts to tenant accounts
You can now propagate incident and indicator layouts from the main account to tenants using propagation labels.
investigate command
Added the investigate command which enables you to start an investigation of an incident. You can start an investigation from another incident (mainly jobs) or control the order of incidents that are being investigated.
Assign a task to a role
You can now assign tasks to a user, role, or both. This enables the specified users or the users within the selected roles to complete the task.
Export one or more custom fields
Added the ability to export one or more custom fields, which gives you granular control to modify and manage custom fields.


Store audit objects in Elasticsearch
You can now migrate audits, in addition to indicators, to your Elasticsearch database. The Elasticsearch database enables processing and storing large amounts of data. We provide a migration tool that identifies audits and creates a dedicated Elasticsearch index for the audits.
If you upgrade from v5.5 and already have a dedicated Elasticsearch index for indicators, the migration tool will only migrate audits (it won’t duplicate indicators).
Last 7 calendar days date range
Added a new Date Range option by which to filter widget data, the Last 7 Calendar Days in the Date Range drop down list. The Last 7 Calendar Days will return 7 days worth of information inclusive of the current day. This differs from the Last 7 Days which returns todays information and the 7 days prior for a total of 8 days worth of information.
Download custom reports in JSON
You can now download the JSON file for a report. This is useful when you need to troubleshoot and debug report issues.
Log into a Host using SAML integration
The user is redirected to the URL where a request originates, when logging in from a Cortex XSOAR Host/Tenant using a SAML integration.

Recommended For You