New Features
New features available in Cortex XSOAR 6.2, including
Debugger, Widget Builder, Indicator Relationships, Lists, and Marketplace.
The following new features are categorized
by product component.
Installation file hash:
2a51950c3b21a7beb2a320de1e5c69b74b8b99641049046fca46aa88eb11d2a9
Threat Intel Management
Cortex XSOAR 6.2 introduces the following new features.
Feature | Description |
|---|---|
Indicator Relationships | Relationships are connections between different
Cortex XSOAR objects that enable you to enhance investigations with
information about indicators and how they might be connected to other
incidents or indicators. To fully benefit from the
Indicator Relationships feature, make sure that your Common
Types content pack is updated for new fields and layouts to
be added and populated.Relationships can be created
automatically when indicators are ingested, or manually at various
points of the investigation process. In addition, using the
Canvas, you can view all of the indicators from an incident, see
the relationships between them, and expand the indicators to further
your investigation. This feature is only available with a
Threat Intel license. |
Taxonomy | The following taxonomy has changed:
Backward
compatibility is maintained. |
AutoFocus | Built-in AutoFocus key provisioning for TIM
licensed customers. |
License restrictions | The indicator Full View is no longer available
for new customers who have not purchased a TIM license. |
Enable incremental feeds for indicator integrations | You can now enable incremental feeds for indicator integrations.
You need to call the API commands for get and
set lastRun . |
Playbook Debugger
The Cortex XSOAR playbook debugger enables you to build
and troubleshoot playbooks, by helping you find tasks that might
fail and by testing different conditions, branches, and input and
output options.
Common use cases include:
- Playbook development - test and improve playbooks as you build them.
- Proof of concept - begin to create and test playbooks even before all integrations are in place, by manually providing inputs and outputs as needed.
- Error troubleshooting - use the debugger to find and fix issues if a playbook stops on an error.
- Explore Marketplace playbooks - install content packs and use the debugger to see whether the included playbooks are relevant for your use case.
Feature | Description |
|---|---|
Choose test data | Run the playbook using an empty new mock incident
or an existing incident. |
Breakpoints and conditional breakpoints | Pause the playbook at specific tasks to make changes
and review the playbook progression. |
Skip tasks, including conditional tasks | Skip tasks and continue the playbook run. Skip conditional
tasks and force the playbook to proceed with a specific branch. |
Override inputs and outputs | Make temporary changes to task inputs and outputs
for testing. |
Debugger panel | View context data, indicators, and task results in
real time. |
Open playbooks and sub-playbooks | You can now open multiple playbooks and sub-playbooks
in tabs. |
Editing Tasks in Playbooks | You can now copy, cut, and paste tasks between
playbooks. |
System Diagnostics
The System Diagnostics page enables you to monitor and
improve system performance and resilience. You can view CPU and
memory usage, the status of the Docker service, unusually large
tasks, storage issues, etc. From the System Diagnostics page, for
some cases, such as a large Audit Trail, you can fix the issue with
one click. For issues that require more in-depth troubleshooting,
there are links directly to Knowledge Base articles.
You can customize who receives email notifications and also customize
the alerts. For example, you can decide how large a task should
be before the system flags it as a potential issue.
(
Multi-tenant
) A different set of System Diagnostics
is available for multi-tenant deployments. You can view System Diagnostics
for hosts from the main account and view information about CPU,
storage, and memory usage for each tenant account on a host.Widgets
You can now create or edit a widget through the widget
builder, which enables you to define and configure data, and preview
how that widget appears. The aim of the widget builder is to be
able to create complex widgets, which eliminates the need to write
scripts or upload JSON files.
In the widget builder, you can now do the following:
Feature | Description |
|---|---|
Script based widgets | When adding the script to the widget, you can
define the arguments, change the color, layout, etc in the widget,
without having to change the script itself. |
Data manipulation on output values | In the Operations tab
you can do complex data manipulation, similar to scripting. When
you select one of the options (such as Average, Sum, etc.) relevant
data according to the widget data type is retrieved. |
Custom calculation on fields | You can do your own complex calculation
on fields, such as the average time that incidents are late. When
you start adding your own calculations, the custom calculation modal suggests
incident fields to add, which are automatically validated. You
can add mathematical operators (such as + ,- , / , * ) between
fields. Variables using {} are also supported. |
Define custom groups | You can define how to define the data into
groups, and limit the number of results to return. When creating
a widget using the Group by field, the Add
as optional graph checkbox has been removed from the Attributes tab
when creating or editing a custom field. This enables you to create
widgets using the Group by option without
having to select the Add as optional graph checkbox.For custom
fields, ensure that the Make data available for search is
checked, so it is available in the Group by field. |
Widget data types | In addition to indicator and incident data
types, you can now create the following: - War
Room Entries : Create widgets from War Room entries such
as the number of entries according to the owner.- SOAR
Metrics : Create widgets relating to playbooks, automations,
integrations, etc. |
Timer widget | You can now also create data in a timer format
widget. For example, Mean Time to Assignment. |
Limit output results | Limit the display results according to the
top/bottom number. You can also show or hide others in a
widget. |
General UI improvements | Change how the data appears, by adding a legend,
reference line (including the Mobile app), changing the axis names,
format the output according to time length, show a percentage or
value on the widget, customize the color legend, etc. General
improvements such as graphs sizes, hover opacity effect, legends
in full view, etc. |
Widgets color picker | You can now use a color palette to edit the
colors for custom fields, incident fields, widgets in the widget
builder, in the dashboard, and in the Mobile app. |
JSON file download | You can download the widget as a JSON file. |
Widget Errors | When creating a widget in the widget builder,
the default widget type is a table. If any error occurs when fetching
the data, you receive an error in which you can expand and see the
full error details. If creating a script based widget, you may
select a widget type that is not supported by the data created (you
are controlling the data). If so, you receive a dedicated error
that confirms the selected widget type is not supported by the data provided. |
Dashboards
Feature | Description |
|---|---|
Dashboard pivoting | You can now filter dashboard data by either
typing a query in the query bar, or in the relevant widget, by clicking Filter
in . For example, if you have a Severity by Type widget
that contains a number of incident types with different severities
and you only want to see Phishing incidents that are critical, you
can filter the widget by type and severity. |
Default dashboards | You can now define the default dashboards for
each role. Go to Settings USERS AND ROLES Roles Default Dashboards field, from the dropdown
list select the dashboards. For example, in a production environment,
an administrator defines the default dashboards for each role. Users can
then add these dashboards, which are added to their existing dashboards.
These default dashboards can be removed but not deleted, and can
be added again if required. |
Customize the Widget Color in dashboards | You can now change the color in a widget and
from a dashboard in the widget library and a user level. If changing
color in the dashboard, the color changes only for that widget.
If you want to change the color of the widget permanently, you can
edit the color in the Widgets Library. |
Duplicate widgets in a dashboard | You can now duplicate a widget that appears
in an existing dashboard. |
New Dashboard and Widget Metrics | Add new dashboards that help troubleshoot and
optimize Cortex XSOAR for automations, integrations, playbooks,
and tasks. Also new out of the box widgets, such as Execution runtime
per playbook, task execution counts per task name, etc. |
Share a dashboard via a link | After sharing a dashboard, you can send the
URL link to another user. Users can then click link and the dashboard
is added to their dashboard. |
Create a report from a dashboard | You can now generate a report from the dashboard
as is, or add new widgets as required. You can set the format, when
to run, orientation, etc. To run the report, click Run Now .
After the Report is generated and it appears in the Reports tab,
so it can be run again. |
Reports
Feature | Description |
|---|---|
Print Full Chart | You can force print the whole chart (in the
widget, right click, and select Full Print Full Chart ,
regardless of layout limitations. If selected, it is recommended
to move this widget to a separate row so that it appears correctly. |
Restrict Roles | When scheduling a report you can now restrict
the content of the report according to roles, by selecting a role
from the Run as Roles field. |
Page Breaks | You can now insert your own page breaks by
adding the Page Break widget. |
Attach Customer Logo to Reports | You can add your own logo to a report, by uploading
your logo in Settings Troubleshooting Full-size logo |
Always Show Widget Legends on Reports | In the report builder and when generating a
report, you can now see the legend in a chart. |
Marketplace
Cortex XSOAR Marketplace is the central location for
installing, exchanging, contributing, and managing all of your content,
including playbooks, integrations, automations, fields, layouts,
and more. Cortex XSOAR 6.2 introduces the following features to
the Marketplace.
Feature | Description |
|---|---|
Remove role based validation for trial Content Packs | Users who are registered with Palo Alto
Customer Support regardless of their role can review and install
trial Content Packs, but cannot subscribe/unsubscribe to premium
Content Packs, unless their role allows. If users want to
buy a Content Pack, they need to be a Marketplace Administrator
before installing a premium Content Pack. |
Landing page updates | General improvements:
|
Public Web Marketplace | You can now view and share Content Pack information
such as including details, downloads, content and version history,
etc, without logging into Cortex XSOAR, by going to https://xsoar.pan.dev/marketplace. |
Sync Content Packs | You can now run the sync_marketplace_packs command which
syncs content with remote URLs immediately. If no content is displayed
when accessing the Marketplace, there could be a connectivity issue
with remote URLs (https://xsoar.pan.dev/ and to https://storage.googleapis.com/marketplace-dist/.
After making changes, run this command to test connectivity. |
Enable Reporting information on Community
Content Packs | For community supported Content Packs, contact
information (such as email or developer's URL) and Live Community
URL is now supplied. |
Validate Marketplace contributions | When submitting content to the marketplace,
you can now validate the content and check for errors before finalizing
your submission. |
Marketplace Recommendations | The landing page now shows sections of packs,
categorized by predefined values. |
Case Management
Feature | Description |
|---|---|
Support JSON body for Internal Requests | When using Cortex XSOAR API, for internal requests,
the request body can now be parsed as JSON as well as well as a
string body. |
Polling sequence | When running a playbook, you can now wait for
a remote process to finish execution before proceeding to the next
task. |
Duplicate an incident type | Incident types can be duplicated and maintain
all of their original associated fields. |
Overwrite Cortex XSOAR fields with third
party integrations | Users can allow third party integrations to
overwrite specific Cortex XSOAR fields if needed. |
Remove the creation timestamp from indicators | On the investigation canvas, creation timestamps are
no longer shown for indicators. |
Sort mappers and classifiers alphabetically | When configuring an integration instance, the
list of mappers and classifiers is sorted alphabetically. |
Bi-directional mirroring | Bi-directional mirroring now occurs on fields
that have already been updated on the Cortex XSOAR side, and can
also be updated from the remote service. There is an option to reset
the dirty fields flag by using the resetDirtyFields command. |
( Multi-tenant ) Run command across
multiple tenants | When viewing incidents from the main account,
you can run a command across multiple incidents located on multiple
tenants. |
( Multi-tenant ) Override playbook
inputs when syncing multiple tenants | When syncing playbook content to multiple tenants, you
can choose whether to override playbook inputs on tenant accounts. |
( Multi-tenant ) Select a custom
port for host to main communications | You can now specify the port for host to main communications
by adding a server configuration, host.communication.port . |
Reliability Information in an indicator
layout | When adding the Verdict field
to an indicator layout, you can now see the reliability score in
the field. |
Link to the War Room using the createNewIndicator command | When creating an indicator using the createNewIndicator command,
you can now click the link to the War Room entry in the First Seen (parent
entry) and the Last Seen columns in the indicators
table (Threat Intel page). |
Detach playbook from editor | When an attached playbooks is opened in the
editor, it can be detached from within the editor page. |
Engine Health Check | After disconnecting from an engine, server
requests were still directed to the engine. |
Script arguments for inputs | When using the following automations, you can select
inputs from a drop-down list and use the search functionality to
easily find the input you need.
|
Platform
Feature | Description |
|---|---|
New Login page | Improved the login page to support logos of
all types. |
Notify when account/hosts are down | You can now configure notifications for hosts
and accounts that are not responsive. |
Redesign of the Lists page | The Lists page has been
completely redesigned. You can now do the following
|
Import an incident from a JSON file | You can now create a new Cortex XSOAR incident
by importing third party event data (JSON) through the mapper. |
Customize colors for Widgets and fields | You can now use a color palette to edit the
colors for custom fields, incident fields, widgets in the widget builder,
in the dashboard and in the Mobile app. The colors that appear
in the palette are based on the order that the results are returned.
The biggest result takes the first color, the second takes the second
color, etc. For example, in the assigned incidents widget, User
A has 900 (blue), User B has 600 (green) and User C has 500 (red)
incidents, blue, green and red appear in that order in the palette. |
Hide Incident Summary Tabs | In an incident layout, when selecting the Show
this tab on Cortex XSOAR mobile app if role allows checkbox, you
now select the Hide this tab on Cortex XSOAR web checkbox.This
is useful if you want to add mobile specific functionality. |
Add Reliability information to the Verdict
Field | When adding the Verdict field to an indicator
layout, you can now see the reliability score in the field. |
Machine learning status update | Machine learning training status page updates
to completed or failed without requiring a page refresh. |
New 404 page | New 404 page design including links to incidents
and home page. |
Select log level for integration instances | When configuring an integration instance, you
can now override the server log level for a specific instance and
write the log to a separate file. |
Name playbooks | When you add a new playbook, you must now name the
playbook before you begin to add tasks. |
Open and save multiple playbooks | You can now open multiple playbooks and sub-playbooks
in tabs and save individual playbooks or all open playbooks with
one click. |
Legend for horizontal column chart | The legend for horizontal column charts is
now displayed at the top of the widget. |
Improved save options for playbooks | When you save a version of the current playbook, the
playbook does not automatically close, and you can continue editing.
The Save version for current Playbook option
is now a drop-down available from the Save Playbook button. |
Show or hide deprecated playbooks | You can show or hide deprecated playbooks in
the playbook list, and deprecated playbooks are labeled as deprecated.
Deprecated playbooks do not appear by default. |
Telemetry | If telemetry is enabled, the Pendo service
collects data related to user interface analytics. |
Run automation scripts on engines | You can now run automation scripts on engines.
If a script is attached to an engine and the engine is not available,
the script will run on the server instead. |
Incident fields pagination | When viewing the incident fields page, you
can navigate by page instead of scrolling through a long list. |
Press q to exit in EULA during installation | When installing Cortex XSOAR, you can now see press q to exit in
the EULA. |
New welcome pages | After upgrading to a later version of Cortex
XSOAR, when viewing new or improved features for the first time,
a pop up window displays with an introduction to the feature and
links to more information. Welcome pages appear for the playbook
debugger, playbook editor, widget builder, dashboards, indicator
relationships, system diagnostics, and reports. |
User name recorded in audit trail for harmful
commands | When a user runs a potentially harmful command from
the debugger, the audit trail includes the user name. |
Error for invalid commands | When a user tries to run a command that doesn't exist
or that is disabled, an error is displayed. |
Link to existing incidents | When adding a note to an incident in the war
room, when you type the # symbol, you have
the option of automatically linking to another existing incident. |
Sort incident fields by default display
form | In the incident fields table, you can now sort
by the default display form. |
Change default user | During Cortex XSOAR installation, the default demisto user
name can be changed. The group name will be equal to the selected
user name. |
App servers and upgrade logs | For High Availability installations, the log
bundle now includes information about which app servers are available. |
App server - audit log file | In High Availability installations, when an
app server comes online for the first time, or the details of an app
server change, an entry is created in the audit log and log file. |
( Multi-tenant ) Improved content
syncing | Content will appear in sync modal only if it
actually requires syncing, rather than syncing on every change. |
( Multi-tenant ) Improved license
information | Error message is now returned if no valid multi-tenant
license is found, and you do not need to restart the server after
adding the license. |
( Multi-tenant ) Filter tenant accounts | On the main account management page, tenant accounts
can be filtered by status and by high availability group. |
( Multi-Tenant ) Audit trail entries
logged when switching between accounts | Audit trail entries are added when a user switches from
a main account to a tenant account or between tenant accounts. |
Recommended For You
Recommended Videos
Recommended videos not found.
