Minor Releases

If you are upgrading from a version earlier than (B90947) and have DR configured, you must reconfigure your disaster recovery environment.

Cortex XSOAR 6.0.2 (B97682)

Cortex XSOAR 6.0.2 (B97682) is a maintenance release that delivers bug fixes and provides usability enhancements.
Fixed Issues
  • In a remote database, users could view incidents outside of their assigned roles by going directly to the URL or accessing the incident via the indicator view.
  • In a playbook, some tasks were not running in order and the playbook was constantly running due to a looping issue.
  • In a playbook, when using condition tasks, the playbook went in an incorrect direction due to a looping issue.
  • When running a playbook, the playbook task did not complete and the playbook was hanging due to an execution issue.
  • In a sub-playbook task, when turning on Quiet Mode which is on a loop, in the War Room you could still view the outputs for every sub-playbook that ran.
  • When viewing the Work Plan section or incident task pane in the summary view, tasks did not refresh as the Playbook progressed, and users could not view the next task.
  • When using a load balancing group, upon a change to the workers count, some workers in the system failed to quit. The resulting deadlock caused playbook commands to not execute and required a server restart.
  • When running an integration on an engine, remote files were being stored and not removed.
  • When there were looping sub-playbooks in sequential order, the first looping sub-playbook worked as expected, but the second looping sub-playbook did not work as expected because arguments from the first looping sub-playbook were passed to the second looping sub-playbook.
  • Added the configuration Cortex Threat Intel Management as the DBot score vendor, which occurred when an indicator's score was not set manually and the type did not have a configured reputation command or reputation script.
  • When using double quotes ("") at the beginning of an incident search the query tried to find all fields that are not empty, causing the server to hang and use high memory consumption.
  • When creating or editing an incident, if you added the
    Close Notes
    field, there was a delay from typing the text until the text became visible.
  • An artificial DBbotScore was added to extracted indicators, where there were no reputation commands or reputation scripts defined.
  • (
    Multi-tenant
    ) When syncing content to tenants, tenants' favorite incidents were cleared and no longer starred.
  • (
    Multi-tenant
    ) When propagating a report to a tenant, if a report was copied, the copy could not be deleted.
  • (
    Multi-tenant
    ) An error appeared in the Main account when trying to open the Reports page. This occurred because custom reports did not have propagation labels.

Cortex XSOAR 6.0.2 (B94597)

Cortex XSOAR 6.0.2 (B94597) is a maintenance release that implements code improvements to address the recently announced CVEs in Golang's XML parser that compromised the security of SAML authentication. For additional information about the vulnerabilities, read the following CVE advisories.
Installation file hash
: 54d22f1421c2d2ff6c94f25283dbf16e9e847b9f87cafdf6a7633c0426c1a98e

Cortex XSOAR 6.0.2 (B93351)

Cortex XSOAR 6.0.2 (B93351) is a maintenance release that delivers bug fixes and provides usability enhancements.
Fixed Issues
  • Some content was not pushed to the prod environment when pulling content from a remote repository in a dev environment or when trying to push changes after migrating content to the Marketplace. This issue was due to conflict issues in GitHub.
  • When setting up disaster recovery and using large context data, the playbook could crash due to a concurrent map read/write error in the context.
  • When using a data collection task to send an email, and the
    Complete and expire automatically
    field set to
    Reached task SLA (with or without a reply)
    , the task did not complete after the set time.
  • When generating CSV reports, Readable Headers in a
    .json
    file did not take effect.
  • When moving from a dev to a prod environment, the order of the pre-process rules did not sync correctly.
  • When using
    demisto.results(demisto.parentEntry())
    in a Python script, some values are not returned.
  • In a playbook, some earlier tasks are not completed but later tasks show they are running due to a looping issue.
  • (
    Multi-Tenant
    ) Content items that were propagated to tenants did not have propagation labels that corresponded to the content items' propagation labels.
  • (
    Multi-Tenant
    ) When copying a content item from a Content Pack, an error was returned about propagation labels.
  • (
    Multi-Tenant
    ) When creating a Playbook task in the main account and propagating it to tenant accounts, the task was empty.
  • (
    Multi-Tenant
    ) When switching from the primary server to a backup server, tenants on the switched host could not be accessed from the main account.
  • (
    Multi-Tenant
    ) When installing a host for the first time, the host shows as being offline even though it could reach the main server.

Cortex XSOAR 6.0.2 (B90947)

Cortex XSOAR 6.0.2 (B90947) is a maintenance release that delivers bug fixes and provides usability enhancements.
Breaking Changes
Cortex XSOAR 6.0.2 includes several critical fixes for disaster recovery. This includes fixes for performance and reliability issues as mapped out in the Fixed Issues.
After you upgrade to this version you must reconfigure your disaster recovery environment.
Fixed Issues
  • Fixed the following issues with disaster recovery (DR):
    • Data was not sent to the DR server frequently enough, which led to the primary and DR servers being out of sync. As a result, a critical error occurred.
    • When switching DR servers, the Cortex XSOAR primary server was unreachable and the DR server became corrupted. The Cortex XSOAR server was unreachable due to multiple threads reading and writing to the same custom field at the same time.
    • (
      Multi-Tenant
      ) When using DR in Multi-tenant environments, integration credentials were not maintained when switching to the DR server.
    • (
      Multi-Tenant
      ) DR configuration was not propagated correctly from the main account to the tenant accounts.
  • When using wildcards to search through a large number of indicators, the system stopped responding.
  • Indicator custom fields were not populated in the indicator layout with the relevant information from Context.
  • When using role-based access control for integration commands and instances, DBot was not able to execute commands in playbooks.
  • An error occurred within playbook tasks because the database version of the task was not updated.
  • After updating a Content Pack, the UI showed that the Content Pack updated successfully, but the Pack content was not updated.
  • Indicator custom fields were not populated in the indicator layout with the relevant information from Context. This occurred the first time the indicator was auto-extracted if you configured only a reputation script and no reputation command.
  • When a file included a semicolon (;) in the filename, the filename was truncated and downloaded as an EML file with no extension.
  • It was not possible to configure agents to use credentials stored in a credential vault.
  • When changing a Data Collection task to Task Only, the change was not saved and the task reverted to the previous setting.
  • After setting filters or transformers on the input of an Ask Task, it was not possible to edit the filters and transformers.
  • If you added a retry for tasks in a playbook, and then uploaded the playbook to a different server and ran it, the playbook failed with an
    Invalid field
    error.
  • When using the Enter key to create a new line in a Markdown field, the spacing was double-spaced.
  • When manually creating an incident, some parts of a tool-tip were cut off the screen.
  • When creating or editing a pre-processing rule for a grid-field with null columns, an error occurred and the rule could not be created or edited.
  • An error was raised when editing a playbook task and clicking on anything other than OK.
  • It was not possible to edit incident types that had trailing white spaces.
  • A Propagation labels error occurred during installation even though Selective Propagation was not in use.
  • After creating a Conditional Task, when trying to connect the task to another task in the playbook, the Conditional Task disappeared. This occurred if you tried connecting the tasks before clicking OK on the task created.
  • An internal error occurred when the Cortex XSOAR server was reading and writing from the same memory object.
  • After editing a field in the Indicator Quick View, the save button was not visible.
  • When indicators with the same value, but different cases (for example google.com or Google.com), are fetched in the same batch, the indicators appeared as separate values.
  • Tabs could not be reordered in the layout builder.
  • Page breaks in reports did not render as expected.
  • In PDF reports, number widgets were not generated with the widget color as they were displayed in the dashboard. If you are concerned about the amount of ink used when printing the report, make sure you create the widget without color before you generate the report.
  • (
    Multi-Tenant
    ) When importing content from the Troubleshooting page, propagation labels were not applied properly.
  • (
    Multi-Tenant
    ) When synchronizing content to tenants, the synchronization completed successfully, but an error message was displayed.
  • (
    Multi-Tenant
    ) Tenants closed active containers that belonged to other tenants.
  • (
    Multi-Tenant
    ) When synchronizing tenant accounts for integrations that used a Credentials object (
    Integrations
    Credentials
    ), and changes were made that did not affect the integration or Credential object, the integration instance was no longer available.

Cortex XSOAR 6.0.1 (B87052)

Cortex XSOAR 6.0.1 (B87052) is a maintenance release that delivers bug fixes and provides usability enhancements.
Fixed Issues
  • When Cortex XSOAR initially loaded, too much data was sent to the client machine, which affected response times. As of this version, session handling is more efficient resulting in less data being sent.
  • When converting content items to content packs, integration instances were deleted after pulling the changes from the remote repository to the production environment.
  • When working with remote database nodes, and sorting a large-scale table, for example Incidents, by a column other than ID, the page did not display properly.
  • When updating content or pulling content from a remote repository, updating a playbook that did not have any changes to its YML, caused an error to occur.
  • In some cases, Cortex XSOAR failed to load incidents and dashboards, and searches became unresponsive.
  • When running a command in an automation script using an engine, the
    copy-from
    argument failed to run correctly. An entry was created in the War Room without the file details, and the file could not be downloaded.
  • Sometimes, after attempting to push content to the remote repository, a GIT timeout error occurred. As of version 6.0.1, you can configure the GIT timeout by adding the
    version.control.git.command.timeout
    server configuration. The default value is 180 seconds. Change the value per the amount of seconds you require.
  • If you had a loop within a loop, and the second loop included a condition, the playbook might stall with a status of in progress.
  • When a content field had the same name as a system field, a conflict occurred and the following error message occurred:
    Item is system and cannot be modified
  • When generating a report, the report displayed the owner who ran the report rather than the incident owner.
  • When exporting indicators with expiration values to a CSV format, expiration date values were missing.
  • When working with remote repositories, after upgrading to version 6.0, when pulling content to the production environment, out-of-the-box incident types were not upgraded.
  • Incidents took a long time to load when navigating to, and away from, the Work Plan page.
  • When trying to edit a duplicated playbook's inputs the following warning displayed:
    You cannot edit arguments of a non-permitted automation
  • In the
    Incidents Mapping Editor
    Settings
    Advanced
    page, when the
    Do not map unmapped fields into labels for selected incident type
    checkbox was not selected, mapped data was mapped into labels regardless of whether the field was already mapped to an incident field.
    The text of the checkbox has been updated to
    Do not map JSON fields into labels for selected incident type
    .
  • In some cases, when updating the layout of an indicator type or incident type, the websocket was not sent to the web client, causing the wrong template to display temporarily.
  • When using the Dark or Darkula themes, in the War Room, the output of the
    !DisplayHTML html=<b>hello</b>
    command blended into the background and became invisible.
  • When a user submitted a waiting task and tried to submit the same task again, an error displayed in the task pane but the Work Plan continued to run. In this version a user is unable to submit the same task more than once.
  • While entering data in custom fields for a new incident, text was disappearing (deleted) due to server messages from the web socket. In addition, performance was affected by these messages. As of this version, only messages relevant to the context in which users are working are sent and text no longer disappears.
  • When editing playbooks created before version 6.0, custom playbook tasks disappeared. One of the task fields was not handled properly, causing the edited tasks not to be saved, and therefore appearing blank.
  • When configuring the Slack v2 integration to send open and close notifications for incidents with at least a low priority, notifications were sent even for incidents with no priority.
  • When creating a PDF report, some script line chart widgets did not appear correctly.
  • In some cases, when logging out of Cortex XSOAR, users were not redirected to the login page causing uncertainty whether they were actually logged out.
  • (Mutli-Tenant)
    In the Marketplace, when updating playbooks, propagation labels failed to update and an error message was issued.
  • (Mutli-Tenant)
    When selecting the
    Automations
    Script Helper
    HOW TO
    tab, content was not synced from the main account to the tenant account, so that no content appeared in the tab in the tenant environment.
  • (Multi-Tenant)
    When syncing content from the main account to a tenant, the tenant theme reverted to the default theme.
  • (Multi-Tenant)
    In the main account, when detaching an automation, automations that existed in the tenant environment did not sync to tenants.
  • (Multi-Tenant)
    System dashboards could not be deleted from a tenant account.
  • (Multi-Tenant)
    Under
    Settings
    Account Management
    , when syncing with a tenant and selecting
    None
    , items that were reselected were not synced.

Cortex XSOAR 6.0.1 (B84583)

Cortex XSOAR 6.0.1 (B84583) is a maintenance release that delivers bug fixes and provides usability enhancements.
New Features
  • Added the ability for administrators to set a default query by role for Incidents, Indicators, Jobs, and War Room.
  • You can now add sub-playbooks as ad-hoc tasks.
  • Added the option to create and export custom reports in CSV format.
Fixed Issues
  • In the Filters and Transformers dialog box, Get field, a root node expression (single dot) returned an invalid path error.
  • You could not edit a Data Collection task from the playbook task editor when the task was saved without providing a value for the
    To
    field.
  • In the Work Plan, only partial data was sent, which triggered an API call from the client to the server to fetch all data whether or not the data was relevant.
  • War Room filters did not filter War Room entries as expected.
  • The Mean Time to Resolution (MTTR) widget produced a typo error when viewing or generating a report in Word doc format.
  • Comments were not shared when sharing indicators.
  • Fetching a large number of incidents caused the server to run slowly and open/close a large number of indexes.
  • Running a sub-playbook with an empty name caused the process to enter an infinite loop.
  • In the Indicators page, sorting Related Incidents did not work as expected.
  • After running an Elasticsearch query, connections remained open and created new connections for each request, which may affect server performance.
  • Indicator values containing a dot notation in custom fields were not mapped correctly.
  • In the Incident page, tasks did not display correctly after making changes.
  • Content items that contained non-UTF8 characters in file names returned an error.
  • Classifiers were not deleted from version control. For example, classifiers were deleted in a dev environment but remained in prod.
  • Live Backup of files had memory issues and warning logs did not provide sufficient information.
  • (Multi-tenant)
    HTTP headers were incorrect when a SAML response was propagated to hosts in a main-tenant environment.
Enhancements
  • HTML fields are now available as indicator fields, which enable users to create and view HTML content in indicators. HTML fields can be used in any type of indicator.
    By default, HTML fields will not use Cortex XSOAR theme CSS styles. A server configuration is available to allow HTML fields to utilize CSS styles from the current user theme. This change is relevant for all HTML entries and fields such as widgets, dashboards, incidents, indicators, etc.
    To change the default configuration for HTML fields, set the server configuration
    UI.html.use.theme.css
    to
    true
    .
    By default, HTML fields populated by integrations are limited to 50KB of data. When ingesting indicators from threat intelligence feeds, content greater than 50KB is truncated.
  • When editing or creating a widget, you can now apply two levels of grouping to the Data type (incidents, indicators, etc.). For example, if you created an incident-based widget, you can group by
    type
    and
    owner
    .
  • Users now receive a notification when content needs to be pushed from the dev environment to the prod environment.
  • You can now perform in-line editing in the Indicator Summary page.
  • Added the ability to reset the contents of the Return on Investment (ROI) widget via REST API using the
    resetROIWidget
    endpoint.

Cortex XSOAR 6.0.1 (B81077)

Cortex XSOAR 6.0.1 (B81077) is a maintenance release that delivers bug fixes and provides usability enhancements.
Fixed Issues
  • For first-time installations, the incorrect product license was displayed.
  • The marketplace version now appears in the version page.
  • In some cases, an error was thrown when installing a content pack that was not the latest version of the pack, due to missing required dependencies.
  • New content items sent to the disaster recovery (DR) server while in recovery mode corrupted the DR server.
  • The Work Plan websocket failed with an error, which caused the server to stop responding.
  • When the server was being indexed, the UI indicated that the server is being upgraded.
  • An error was thrown when ingesting file indicators from a feed
  • When using a load-balancing engine group, the configured integration credentials didn’t work.
  • (Multi-tenant)
    In deployments where dev-prod was enabled, selective propagation labels were enabled by default for the dev environment.
  • (Multi-tenant)
    Roles were deleted when syncing a tenant.
Enhancements
  • General improvements to product license validation and display.
  • Added a retry mechanism for containers that failed due to unresponsive server pings.

Recommended For You