Minor Releases

Cortex XSOAR 6.0.1 (B87052)

Cortex XSOAR 6.0.1 (B87052) is a maintenance release that delivers bug fixes and provides usability enhancements.
Fixed Issues
  • When Cortex XSOAR initially loaded, too much data was sent to the client machine, which affected response times. As of this version, session handling is more efficient resulting in less data being sent.
  • When converting content items to content packs, integration instances were deleted after pulling the changes from the remote repository to the production environment.
  • When working with remote database nodes, and sorting a large-scale table, for example Incidents, by a column other than ID, the page did not display properly.
  • When updating content or pulling content from a remote repository, updating a playbook that did not have any changes to its YML, caused an error to occur.
  • In some cases, Cortex XSOAR failed to load incidents and dashboards, and searches became unresponsive.
  • When running a command in an automation script using an engine, the
    argument failed to run correctly. An entry was created in the War Room without the file details, and the file could not be downloaded.
  • Sometimes, after attempting to push content to the remote repository, a GIT timeout error occurred. As of version 6.0.1, you can configure the GIT timeout by adding the
    server configuration. The default value is 180 seconds. Change the value per the amount of seconds you require.
  • If you had a loop within a loop, and the second loop included a condition, the playbook might stall with a status of in progress.
  • When a content field had the same name as a system field, a conflict occurred and the following error message occurred:
    Item is system and cannot be modified
  • When generating a report, the report displayed the owner who ran the report rather than the incident owner.
  • When exporting indicators with expiration values to a CSV format, expiration date values were missing.
  • When working with remote repositories, after upgrading to version 6.0, when pulling content to the production environment, out-of-the-box incident types were not upgraded.
  • Incidents took a long time to load when navigating to, and away from, the Work Plan page.
  • When trying to edit a duplicated playbook's inputs the following warning displayed:
    You cannot edit arguments of a non-permitted automation
  • In the
    Incidents Mapping Editor
    page, when the
    Do not map unmapped fields into labels for selected incident type
    checkbox was not selected, mapped data was mapped into labels regardless of whether the field was already mapped to an incident field.
    The text of the checkbox has been updated to
    Do not map JSON fields into labels for selected incident type
  • In some cases, when updating the layout of an indicator type or incident type, the websocket was not sent to the web client, causing the wrong template to display temporarily.
  • When using the Dark or Darkula themes, in the War Room, the output of the
    !DisplayHTML html=<b>hello</b>
    command blended into the background and became invisible.
  • When a user submitted a waiting task and tried to submit the same task again, an error displayed in the task pane but the Work Plan continued to run. In this version a user is unable to submit the same task more than once.
  • While entering data in custom fields for a new incident, text was disappearing (deleted) due to server messages from the web socket. In addition, performance was affected by these messages. As of this version, only messages relevant to the context in which users are working are sent and text no longer disappears.
  • When editing playbooks created before version 6.0, custom playbook tasks disappeared. One of the task fields was not handled properly, causing the edited tasks not to be saved, and therefore appearing blank.
  • When configuring the Slack v2 integration to send open and close notifications for incidents with at least a low priority, notifications were sent even for incidents with no priority.
  • When creating a PDF report, some script line chart widgets did not appear correctly.
  • In some cases, when logging out of Cortex XSOAR, users were not redirected to the login page causing uncertainty whether they were actually logged out.
  • (Mutli-Tenant)
    In the Marketplace, when updating playbooks, propagation labels failed to update and an error message was issued.
  • (Mutli-Tenant)
    When selecting the
    Script Helper
    HOW TO
    tab, content was not synced from the main account to the tenant account, so that no content appeared in the tab in the tenant environment.
  • (Multi-Tenant)
    When syncing content from the main account to a tenant, the tenant theme reverted to the default theme.
  • (Multi-Tenant)
    In the main account, when detaching an automation, automations that existed in the tenant environment did not sync to tenants.
  • (Multi-Tenant)
    System dashboards could not be deleted from a tenant account.
  • (Multi-Tenant)
    Account Management
    , when syncing with a tenant and selecting
    , items that were reselected were not synced.

Cortex XSOAR 6.0.1 (B84583)

Cortex XSOAR 6.0.1 (B84583) is a maintenance release that delivers bug fixes and provides usability enhancements.
New Features
  • Added the ability for administrators to set a default query by role for Incidents, Indicators, Jobs, and War Room.
  • You can now add sub-playbooks as ad-hoc tasks.
  • Added the option to create and export custom reports in CSV format.
Fixed Issues
  • In the Filters and Transformers dialog box, Get field, a root node expression (single dot) returned an invalid path error.
  • You could not edit a Data Collection task from the playbook task editor when the task was saved without providing a value for the
  • In the Work Plan, only partial data was sent, which triggered an API call from the client to the server to fetch all data whether or not the data was relevant.
  • War Room filters did not filter War Room entries as expected.
  • The Mean Time to Resolution (MTTR) widget produced a typo error when viewing or generating a report in Word doc format.
  • Comments were not shared when sharing indicators.
  • Fetching a large number of incidents caused the server to run slowly and open/close a large number of indexes.
  • Running a sub-playbook with an empty name caused the process to enter an infinite loop.
  • In the Indicators page, sorting Related Incidents did not work as expected.
  • After running an Elasticsearch query, connections remained open and created new connections for each request, which may affect server performance.
  • Indicator values containing a dot notation in custom fields were not mapped correctly.
  • In the Incident page, tasks did not display correctly after making changes.
  • Content items that contained non-UTF8 characters in file names returned an error.
  • Classifiers were not deleted from version control. For example, classifiers were deleted in a dev environment but remained in prod.
  • Live Backup of files had memory issues and warning logs did not provide sufficient information.
  • (Multi-tenant)
    HTTP headers were incorrect when a SAML response was propagated to hosts in a main-tenant environment.
  • HTML fields are now available as indicator fields, which enable users to create and view HTML content in indicators. HTML fields can be used in any type of indicator.
    By default, HTML fields will not use Cortex XSOAR theme CSS styles. A server configuration is available to allow HTML fields to utilize CSS styles from the current user theme. This change is relevant for all HTML entries and fields such as widgets, dashboards, incidents, indicators, etc.
    To change the default configuration for HTML fields, set the server configuration
    By default, HTML fields populated by integrations are limited to 50KB of data. When ingesting indicators from threat intelligence feeds, content greater than 50KB is truncated.
  • When editing or creating a widget, you can now apply two levels of grouping to the Data type (incidents, indicators, etc.). For example, if you created an incident-based widget, you can group by
  • Users now receive a notification when content needs to be pushed from the dev environment to the prod environment.
  • You can now perform in-line editing in the Indicator Summary page.
  • Added the ability to reset the contents of the Return on Investment (ROI) widget via REST API using the

Cortex XSOAR 6.0.1 (B81077)

Cortex XSOAR 6.0.1 (B81077) is a maintenance release that delivers bug fixes and provides usability enhancements.
Fixed Issues
  • For first-time installations, the incorrect product license was displayed.
  • The marketplace version now appears in the version page.
  • In some cases, an error was thrown when installing a content pack that was not the latest version of the pack, due to missing required dependencies.
  • New content items sent to the disaster recovery (DR) server while in recovery mode corrupted the DR server.
  • The Work Plan websocket failed with an error, which caused the server to stop responding.
  • When the server was being indexed, the UI indicated that the server is being upgraded.
  • An error was thrown when ingesting file indicators from a feed
  • When using a load-balancing engine group, the configured integration credentials didn’t work.
  • (Multi-tenant)
    In deployments where dev-prod was enabled, selective propagation labels were enabled by default for the dev environment.
  • (Multi-tenant)
    Roles were deleted when syncing a tenant.
  • General improvements to product license validation and display.
  • Added a retry mechanism for containers that failed due to unresponsive server pings.

Recommended For You