New Features

The following new features are categorized by product component.

Marketplace

Cortex XSOAR Marketplace is the central location for installing, exchanging, contributing, and managing all of your content, including playbooks, integrations, automations, fields, layouts, and more.The Marketplace allows you to easily:
  • Leverage content from the largest SOAR community: Continuously extend Cortex XSOAR with proven use-cases contributed by SecOps users and SOAR partners.
  • Discover top rated, validated content: Identify the best premium and free content offerings recommended by your peers and validated by the world’s leading cybersecurity company. Discover how to increase automation with the tools that you already have and browse through community best practices.
  • Solve your toughest security use-cases: Deploy turn- key security workflows that span integrations, playbooks, dashboard layouts, and reports with a single click.
The essence of the Marketplace is to build a strong community with other security professionals by easily exchanging content. You can explore the latest trends from Cortex XSOAR and other contributors and test drive use cases all within your Cortex XSOAR platform.
Both new installations and upgrades to this version require a new Cortex XSOAR license.

Threat Intel Management

These features do not require a threat intel management license, they are available to all Cortex XSOAR users.
Feature
Description
Indicator quick view layout
Added the ability to edit the quick view layout for indicators.
expireIndicators command
Added a built-in command to expire indicator(s) manually or in a batch command. It changes the Expired status for one or more indicators. You can use this command for an action button in the indicator summary view or as an automation script.
setIndicator command
Added ability to run the
setIndicator
built-in command in a batch command.
excludeIndicators
Adds one or more indicators to the Exclusion List.
setIndicators
Updates the properties for one or more indicators. You can update the following properties: reputation, type, values, fields, and expiration (in addition to all indicator custom fields).
associateIndicatorToIncident
Associates a single indicator to the specified incident.
associateIndicatorsToIncident
Associates multiple indicators to the specified incident.
unassociateIndicatorToIncident
Removes a single indicator from the specified incident.
unassociateIndicatorsToIncident
Removes multiple indicators from the specified incident.

Case Management

Feature
Description
Classification and mapping
Classification and mapping has been revamped and includes the following improvements and highlights:
  • Classifiers and Mappers are no longer connected to one another. Classifiers are used to determine how an incoming incident or indicator is classified, and mappers determine how the fields iare mapped, as separate entities.
  • The mapping mechanism was changed so you are creating a default mapping for the common fields in all of the incidents, which means that you only have to create specific mappings in the other incident types for fields that are specific to each incident type.
  • You can automatically map fields based on the machine learning model, which maps fields of the same or similar names from 3rd-party integrations into fields in Cortex XSOAR.
  • There are now mappings for incoming incidents and for outgoing feeds that push information to other products.
  • You can create a mirrored connection with other applications, which enables you to update information for an incident in Cortex XSOAR and the information will be updated automatically in the 3rd-party application, and vice versa.
Playbook task to use default instance
Added the
ignore.default.in.playbooks
server configuration, which enables you to specify which integration instance to use to execute commands in playbook tasks. When set to true, only integration instances that do not have the
Do not use by default
checkbox selected will be used to execute the command. If the playbook task specifies an integration instance with the Using argument, only the specified integration instance will be used.
Dynamic options for Data Collection tasks
When defining a Data Collection task for a playbook, you can use transformers and filters, which presents dynamic options for the person completing the task.
Include task outputs in field mapping
Outputs from previous tasks are available as Field Mapping options for playbook tasks.
Propagate layouts to tenant accounts
(Multi-Tenant)
You can now propagate incident and indicator layouts from the main account to tenants using propagation labels.
investigate command
Added the investigate command which enables you to start an investigation of an incident. You can start an investigation from another incident (mainly jobs) or control the order of incidents that are being investigated.
Assign a task to a role
You can now assign tasks to a user, role, or both. This enables the specified users or the users within the selected roles to complete the task.
Export one or more custom fields
Added the ability to export one or more custom fields, which gives you granular control to modify and manage custom fields.

Platform

Feature
Description
Store audit objects in Elasticsearch
You can now migrate audits, in addition to indicators, to your Elasticsearch database. The Elasticsearch database enables processing and storing large amounts of data. We provide a migration tool that identifies audits and creates a dedicated Elasticsearch index for the audits.
If you upgrade from v5.5 and already have a dedicated Elasticsearch index for indicators, the migration tool will only migrate audits (it won’t duplicate indicators).
Last 7 calendar days date range
Added a new Date Range option by which to filter widget data, the Last 7 Calendar Days in the Date Range drop down list. The Last 7 Calendar Days will return 7 days worth of information inclusive of the current day. This differs from the Last 7 Days which returns todays information and the 7 days prior for a total of 8 days worth of information.
Download custom reports in JSON
You can now download the JSON file for a report. This is useful when you need to troubleshoot and debug report issues.

Recommended For You