Addressed Issues

Cortex XSOAR 6.1 addressed issues.
These issues are fixed in the Cortex XSOAR 6.1 release.
  • When generating an incident report, the close reason was given as 'N/A', even though a close reason was ‘resolved’, or ‘false positive’, etc.
  • In the Incident Tasks window, when you selected a radio button on a second task, it changed the first task radio button.
  • When closing an incident by a user who is not part of the investigation team, while viewing the incident, the user did not see that the incident was closed.
  • When running a query as an input in a playbook, and using the
    closeInvestigation
    command in a task, after closing the incident, the
    CloseReason
    value appeared, rather than the entered value.
  • When exporting an incident or indicator to CSV format, Cortex XSOAR generated the report in UTF8 format and did not support UTF8-BOM. Incidents or an indicators that contained Cyrillic characters, such as Russian, Greek, etc, were incomprehensible.
  • When searching for incidents that did not contain a field, such as
    “”
    , the server became unresponsive due to high memory consumption.
  • When searching for incidents and sorting by field, clicking the next page produced incorrect results.
  • Long incident names caused the browser to become unresponsive.
  • In the incidents table, when changing pages quickly before the data loaded, caused the table to display wrong information.
  • In the Firefox browser, when opening an incident, occasionally the incident layout did not display correctly.
  • The
    setIncident
    command failed when a user field was added to the incident layout, but the user was subsequently deleted.
  • When using the
    createNewIncident
    command with the
    entryID
    argument, if you added multiple entry IDs, the new incident created only the first file
    entryID
    .
  • When using a data collection task to send an email with the
    Complete and expire automatically
    field set to
    Reached task SLA (with or without a reply)
    , the task did not complete after the allotted time window.
  • After an incident was closed, a data collection task continued to run, including sending emails.
  • In a Data Collection Task, when setting the retry count to 0, the value in the user interface would reset to default.
  • When submitting a data collection task that had already been completed, an empty message appeared which did not show that the task had ended.
  • In a task, when adding a completion note and an attachment, after you clicked
    Mark Completed
    , the completion note did not appear in the War Room.
  • When selecting quiet mode in a playbook such as Send Investigation Report, the send-mail task did not send an email with an attachment.
  • When running the
    playground_create
    command, investigation data was not deleted from a previous playground.
  • After logging in, if there were a substantial number of history workplans in the playground, it caused a memory spike.
  • When running the
    verodin-get-jobs
    command in the
    Verodin
    integration, playbooks took a long time to complete due to slow merging of large context.
  • Notes in the War Room were truncated regardless of the value set in the
    ui.entry.max.chars server
    configuration.
  • If you had large data in a War Room entry, when clicking
    View full artifact in a new tab
    , the data was truncated.
  • When exporting indicators to a CSV file, the
    relatedIncCount
    field was blank even though there were related incidents.
  • When indicators had been auto-extracted without an indicator feed, indicator expiration was ignored even though it was defined.
  • Inconsistency in the enrichment integrations data in the
    Indicator Summary
    page. For example, CS Falcon score was shown in Reputation but not in Sources Data. This is due to enrichment vendors not being incorporated into the indicator fields and into Reputation when they were enriched, but not as part of the auto-extract flow. The bug-fix filters such vendors in the indicator reputation section and indicator endpoints.
  • When running the
    createNewIndicator
    command, with the file hash
    md5
    value, the auto extract process failed to merge existing file hashes, which caused duplicate indicators.
  • SAML login failed due to the server becoming slow as the database was using both transactions and retries for BoltDB and Elasticsearch, respectively.
  • When a search on a Bleve database panicked, an error was received on the server.
  • When updating a field that contained a pipe (for example, | Gurleen | XDR | port | scan | test |), the pipe was treated as markdown and did not display correctly.
  • In a multi-select field, it was not possible to add a comma character (,) value.
  • When batch deleting a large number of content packs, the server became slow and unusable due to high memory usage.
  • In the
    Contributions
    tab, when selecting
    Save and download your contribution
    , if you did not set an email address in your user profile details, a file was downloaded with undefined string content.
  • When mapping incident fields in the Mapping Editor, some values would disappear from the fields when mapped. This occurred when selecting the incident field and clicking data in the JSON which included an array inside a search, or where the data included special characters such as \ " . ( ).
  • If you had more than a 100 unclassified events, in the
    Incidents Classification Editor
    , some events did not appear in the
    Unclassified
    section.
  • French accent characters (for example Périmètre) did not appear correctly in the database, as CLI names were truncated and special characters were removed.
  • In the War Room. or in markdown fields in the summary page, when using non-ASCII characters in a markdown table, indicators would be rendered with additional characters.
  • When creating more than one credentials parameter in the integration instance, the credentials objects were returned empty/mixed.
  • When creating an integration instance with credentials, the credentials did not appear correctly in the
    Credentials
    tab.
  • If creating an integration instance name that contained parentheses, an error was issued when fetching credentials.
  • When running a reputation script that did not return entries, it caused the script to fail.
  • When using
    demisto.parentEntry()
    in a script such as
    !py script="demisto.results(demisto.parentEntry())
    some values that were returned were missing such as user, content, category, etc.
  • Some out of the box widgets displayed inconsistent capitalization in the dashboard and the capitalization was not as entered.
  • When creating a new phishing machine learning model, and selecting the filter
    Years ago
    , field values were not returned, even though they existed.
  • When training a phishing machine learning session, the session continually showed
    Training in progress
    . This was caused by unexpected script failures to certain inputs.
  • When using remote repositories, in the production environment, when defining an integration instance, the incident type field was missing even though it appeared in the development environment.
  • The production server started to crash and became slow and inaccessible due to high
    Goroutines
    caused by the API response call not closing the response body.
  • When a remote repository is enabled, indicator feeds did not display the expiration method in the production environment, even though they existed in the development environment.
  • In some situations, such as when pushing to production, upgrading to v6.01 and above, or when switching from a standalone system to development/production, dashboards could not be shared or viewed.
  • It was not possible to configure a remote repository with Azure Devops, as the SSH URL regex pattern was not added to the session data.
  • SLA timers did not send a breach notification even though the date had passed, when there were a number of SLA requests that had not started.
  • When adding the SLA field to an incidents table, it was not possible to search for the information in the SLA field.
  • In the
    Mattermost
    integration, when using the
    send-notification
    command and the
    ignoreAddURL=true
    argument, the URL was always added.
  • It was not possible to pull the log bundle, as a panic appeared in the log.
  • (
    Multi-tenant
    ) You could not delete a role when the role name contained a slash ( / ).
  • (
    Multi-tenant
    ) When changing the password for the user in the Main Account, a message appeared showing the password had been used before, even though it had not been used previously.
  • (
    Multi-tenant
    ) In the Main account, where a widget included a table with a
    Modified
    column, when trying to sort data according to the
    Modified
    column, data was sorted according to ID.
  • (
    Multi-tenant
    ) In the Main account, when adding a tenant to a newly created host with a non-unique name, the tenant could not be added. Even after deleting the account, an error appeared showing the account ‘already exists’. This was due to an index error.
  • (
    Multi-tenant
    ) When syncing integration instances from the Main account to tenants, the tenants integration context data was deleted, and then recreated with default values.

Recommended For You