End-of-Life (EoL)

New Features

New features available in Cortex XSOAR 6.2, including Debugger, Widget Builder, Indicator Relationships, Lists, and Marketplace.
The following new features are categorized by product component.
Installation file hash:

Threat Intel Management

Cortex XSOAR 6.2 introduces the following new features.
Indicator Relationships
Relationships are connections between different Cortex XSOAR objects that enable you to enhance investigations with information about indicators and how they might be connected to other incidents or indicators.
To fully benefit from the Indicator Relationships feature, make sure that your
Common Types
content pack is updated for new fields and layouts to be added and populated.
Relationships can be created automatically when indicators are ingested, or manually at various points of the investigation process.
In addition, using the Canvas, you can view all of the indicators from an incident, see the relationships between them, and expand the indicators to further your investigation.
This feature is only available with a Threat Intel license.
The following taxonomy has changed:
  • Threat Intel
    replaces the
  • Verdict
    . The Reputation (Verdict) values have been updated from
    , and
Backward compatibility is maintained.
Built-in AutoFocus key provisioning for TIM licensed customers.
License restrictions
The indicator Full View is no longer available for new customers who have not purchased a TIM license.
Enable incremental feeds for indicator integrations
You can now enable incremental feeds for indicator integrations. You need to call the API commands for
and set

Playbook Debugger

The Cortex XSOAR playbook debugger enables you to build and troubleshoot playbooks, by helping you find tasks that might fail and by testing different conditions, branches, and input and output options.
Common use cases include:
  • Playbook development - test and improve playbooks as you build them.
  • Proof of concept - begin to create and test playbooks even before all integrations are in place, by manually providing inputs and outputs as needed.
  • Error troubleshooting - use the debugger to find and fix issues if a playbook stops on an error.
  • Explore Marketplace playbooks - install content packs and use the debugger to see whether the included playbooks are relevant for your use case.
Choose test data
Run the playbook using an empty new mock incident or an existing incident.
Breakpoints and conditional breakpoints
Pause the playbook at specific tasks to make changes and review the playbook progression.
Skip tasks, including conditional tasks
Skip tasks and continue the playbook run. Skip conditional tasks and force the playbook to proceed with a specific branch.
Override inputs and outputs
Make temporary changes to task inputs and outputs for testing.
Debugger panel
View context data, indicators, and task results in real time.
Open playbooks and sub-playbooks
You can now open multiple playbooks and sub-playbooks in tabs.
Editing Tasks in Playbooks
You can now copy, cut, and paste tasks between playbooks.

System Diagnostics

The System Diagnostics page enables you to monitor and improve system performance and resilience. You can view CPU and memory usage, the status of the Docker service, unusually large tasks, storage issues, etc. From the System Diagnostics page, for some cases, such as a large Audit Trail, you can fix the issue with one click. For issues that require more in-depth troubleshooting, there are links directly to Knowledge Base articles.
You can customize who receives email notifications and also customize the alerts. For example, you can decide how large a task should be before the system flags it as a potential issue.
) A different set of System Diagnostics is available for multi-tenant deployments. You can view System Diagnostics for hosts from the main account and view information about CPU, storage, and memory usage for each tenant account on a host.


You can now create or edit a widget through the widget builder, which enables you to define and configure data, and preview how that widget appears. The aim of the widget builder is to be able to create complex widgets, which eliminates the need to write scripts or upload JSON files.
In the widget builder, you can now do the following:
Script based widgets
When adding the script to the widget, you can define the arguments, change the color, layout, etc in the widget, without having to change the script itself.
Data manipulation on output values
In the
tab you can do complex data manipulation, similar to scripting. When you select one of the options (such as Average, Sum, etc.) relevant data according to the widget data type is retrieved.
Custom calculation on fields
You can do your own complex calculation on fields, such as the average time that incidents are late. When you start adding your own calculations, the custom calculation modal suggests incident fields to add, which are automatically validated.
You can add mathematical operators (such as
) between fields. Variables using
are also supported.
Define custom groups
You can define how to define the data into groups, and limit the number of results to return.
When creating a widget using the
Group by
field, the
Add as optional graph
checkbox has been removed from the
tab when creating or editing a custom field. This enables you to create widgets using the
Group by
option without having to select the Add as optional graph checkbox.
For custom fields, ensure that the
Make data available for search
is checked, so it is available in the
Group by
Widget data types
In addition to indicator and incident data types, you can now create the following:
War Room Entries
: Create widgets from War Room entries such as the number of entries according to the owner.
SOAR Metrics
: Create widgets relating to playbooks, automations, integrations, etc.
Timer widget
You can now also create data in a timer format widget. For example, Mean Time to Assignment.
Limit output results
Limit the display results according to the top/bottom number. You can also show or hide
in a widget.
General UI improvements
Change how the data appears, by adding a legend, reference line (including the Mobile app), changing the axis names, format the output according to time length, show a percentage or value on the widget, customize the color legend, etc.
General improvements such as graphs sizes, hover opacity effect, legends in full view, etc.
Widgets color picker
You can now use a color palette to edit the colors for custom fields, incident fields, widgets in the widget builder, in the dashboard, and in the Mobile app.
JSON file download
You can download the widget as a JSON file.
Widget Errors
When creating a widget in the widget builder, the default widget type is a table. If any error occurs when fetching the data, you receive an error in which you can expand and see the full error details.
If creating a script based widget, you may select a widget type that is not supported by the data created (you are controlling the data). If so, you receive a dedicated error that confirms the selected widget type is not supported by the data provided.


Dashboard pivoting
You can now filter dashboard data by either typing a query in the query bar, or in the relevant widget, by clicking
Filter in
. For example, if you have a Severity by Type widget that contains a number of incident types with different severities and you only want to see Phishing incidents that are critical, you can filter the widget by type and severity.
Default dashboards
You can now define the default dashboards for each role. Go to
and in the
Default Dashboards
field, from the dropdown list select the dashboards.
For example, in a production environment, an administrator defines the default dashboards for each role. Users can then add these dashboards, which are added to their existing dashboards. These default dashboards can be removed but not deleted, and can be added again if required.
Customize the Widget Color in dashboards
You can now change the color in a widget and from a dashboard in the widget library and a user level. If changing color in the dashboard, the color changes only for that widget. If you want to change the color of the widget permanently, you can edit the color in the Widgets Library.
Duplicate widgets in a dashboard
You can now duplicate a widget that appears in an existing dashboard.
New Dashboard and Widget Metrics
Add new dashboards that help troubleshoot and optimize Cortex XSOAR for automations, integrations, playbooks, and tasks. Also new out of the box widgets, such as Execution runtime per playbook, task execution counts per task name, etc.
Share a dashboard via a link
After sharing a dashboard, you can send the URL link to another user. Users can then click link and the dashboard is added to their dashboard.
Create a report from a dashboard
You can now generate a report from the dashboard as is, or add new widgets as required. You can set the format, when to run, orientation, etc. To run the report, click
Run Now
. After the Report is generated and it appears in the Reports tab, so it can be run again.


Print Full Chart
You can force print the whole chart (in the widget, right click, and select
Full Print Full Chart
, regardless of layout limitations. If selected, it is recommended to move this widget to a separate row so that it appears correctly.
Restrict Roles
When scheduling a report you can now restrict the content of the report according to roles, by selecting a role from the
Run as Roles
Page Breaks
You can now insert your own page breaks by adding the
Page Break
Attach Customer Logo to Reports
You can add your own logo to a report, by uploading your logo in
Full-size logo
Always Show Widget Legends on Reports
In the report builder and when generating a report, you can now see the legend in a chart.


Cortex XSOAR Marketplace is the central location for installing, exchanging, contributing, and managing all of your content, including playbooks, integrations, automations, fields, layouts, and more. Cortex XSOAR 6.2 introduces the following features to the Marketplace.
Remove role based validation for trial Content Packs
Users who are registered with Palo Alto Customer Support regardless of their role can review and install trial Content Packs, but cannot subscribe/unsubscribe to premium Content Packs, unless their role allows.
If users want to buy a Content Pack, they need to be a Marketplace Administrator before installing a premium Content Pack.
Landing page updates
General improvements:
  • The landing page now shows sections of packs, categorized by pre-defined values.
  • When navigating between installed Content Packs, the selected tab is preserved.
Public Web Marketplace
You can now view and share Content Pack information such as including details, downloads, content and version history, etc, without logging into Cortex XSOAR, by going to https://xsoar.pan.dev/marketplace.
Sync Content Packs
You can now run the
command which syncs content with remote URLs immediately. If no content is displayed when accessing the Marketplace, there could be a connectivity issue with remote URLs (https://xsoar.pan.dev/ and to https://storage.googleapis.com/marketplace-dist/. After making changes, run this command to test connectivity.
Enable Reporting information on Community Content Packs
For community supported Content Packs, contact information (such as email or developer's URL) and Live Community URL is now supplied.
Validate Marketplace contributions
When submitting content to the marketplace, you can now validate the content and check for errors before finalizing your submission.
Marketplace Recommendations
The landing page now shows sections of packs, categorized by predefined values.

Case Management

Support JSON body for Internal Requests
When using Cortex XSOAR API, for internal requests, the request body can now be parsed as JSON as well as well as a string body.
Polling sequence
When running a playbook, you can now wait for a remote process to finish execution before proceeding to the next task.
Duplicate an incident type
Incident types can be duplicated and maintain all of their original associated fields.
Overwrite Cortex XSOAR fields with third party integrations
Users can allow third party integrations to overwrite specific Cortex XSOAR fields if needed.
Remove the creation timestamp from indicators
On the investigation canvas, creation timestamps are no longer shown for indicators.
Sort mappers and classifiers alphabetically
When configuring an integration instance, the list of mappers and classifiers is sorted alphabetically.
Bi-directional mirroring
Bi-directional mirroring now occurs on fields that have already been updated on the Cortex XSOAR side, and can also be updated from the remote service. There is an option to reset the dirty fields flag by using the
) Run command across multiple tenants
When viewing incidents from the main account, you can run a command across multiple incidents located on multiple tenants.
) Override playbook inputs when syncing multiple tenants
When syncing playbook content to multiple tenants, you can choose whether to override playbook inputs on tenant accounts.
) Select a custom port for host to main communications
You can now specify the port for host to main communications by adding a server configuration,
Reliability Information in an indicator layout
When adding the
field to an indicator layout, you can now see the reliability score in the field.
Link to the War Room using the
When creating an indicator using the
command, you can now click the link to the War Room entry in the
First Seen
(parent entry) and the
Last Seen
columns in the indicators table (Threat Intel page).
Detach playbook from editor
When an attached playbooks is opened in the editor, it can be detached from within the editor page.
Engine Health Check
After disconnecting from an engine, server requests were still directed to the engine.
Script arguments for inputs
When using the following automations, you can select inputs from a drop-down list and use the search functionality to easily find the input you need.
  • Setincident
  • Setindicator
  • Newincident
  • Newindicator


New Login page
Improved the login page to support logos of all types.
Notify when account/hosts are down
You can now configure notifications for hosts and accounts that are not responsive.
Redesign of the Lists page
page has been completely redesigned. You can now do the following
  • The
    page appear as a list with a script editor for easy view and edit.
  • Easily search a list by name.
  • When adding or editing a list, you can now select content type and restrict permissions to read and write or read only.
  • Easily change the list content type for syntax highlights.
Import an incident from a JSON file
You can now create a new Cortex XSOAR incident by importing third party event data (JSON) through the mapper.
Customize colors for Widgets and fields
You can now use a color palette to edit the colors for custom fields, incident fields, widgets in the widget builder, in the dashboard and in the Mobile app.
The colors that appear in the palette are based on the order that the results are returned. The biggest result takes the first color, the second takes the second color, etc. For example, in the assigned incidents widget, User A has 900 (blue), User B has 600 (green) and User C has 500 (red) incidents, blue, green and red appear in that order in the palette.
Hide Incident Summary Tabs
In an incident layout, when selecting the
Show this tab on Cortex XSOAR mobile app if role allows
checkbox, you now select the
Hide this tab on Cortex XSOAR web
This is useful if you want to add mobile specific functionality.
Add Reliability information to the Verdict Field
When adding the Verdict field to an indicator layout, you can now see the reliability score in the field.
Machine learning status update
Machine learning training status page updates to completed or failed without requiring a page refresh.
New 404 page
New 404 page design including links to incidents and home page.
Select log level for integration instances
When configuring an integration instance, you can now override the server log level for a specific instance and write the log to a separate file.
Name playbooks
When you add a new playbook, you must now name the playbook before you begin to add tasks.
Open and save multiple playbooks
You can now open multiple playbooks and sub-playbooks in tabs and save individual playbooks or all open playbooks with one click.
Legend for horizontal column chart
The legend for horizontal column charts is now displayed at the top of the widget.
Improved save options for playbooks
When you save a version of the current playbook, the playbook does not automatically close, and you can continue editing. The
Save version for current Playbook
option is now a drop-down available from the
Save Playbook
Show or hide deprecated playbooks
You can show or hide deprecated playbooks in the playbook list, and deprecated playbooks are labeled as deprecated. Deprecated playbooks do not appear by default.
If telemetry is enabled, the Pendo service collects data related to user interface analytics.
Run automation scripts on engines
You can now run automation scripts on engines. If a script is attached to an engine and the engine is not available, the script will run on the server instead.
Incident fields pagination
When viewing the incident fields page, you can navigate by page instead of scrolling through a long list.
Press q to exit in EULA during installation
When installing Cortex XSOAR, you can now see
press q to exit
in the EULA.
New welcome pages
After upgrading to a later version of Cortex XSOAR, when viewing new or improved features for the first time, a pop up window displays with an introduction to the feature and links to more information. Welcome pages appear for the playbook debugger, playbook editor, widget builder, dashboards, indicator relationships, system diagnostics, and reports.
User name recorded in audit trail for harmful commands
When a user runs a potentially harmful command from the debugger, the audit trail includes the user name.
Error for invalid commands
When a user tries to run a command that doesn't exist or that is disabled, an error is displayed.
Link to existing incidents
When adding a note to an incident in the war room, when you type the
symbol, you have the option of automatically linking to another existing incident.
Sort incident fields by default display form
In the incident fields table, you can now sort by the default display form.
Change default user
During Cortex XSOAR installation, the default
user name can be changed. The group name will be equal to the selected user name.
App servers and upgrade logs
For High Availability installations, the log bundle now includes information about which app servers are available.
App server - audit log file
In High Availability installations, when an app server comes online for the first time, or the details of an app server change, an entry is created in the audit log and log file.
) Improved content syncing
Content will appear in sync modal only if it actually requires syncing, rather than syncing on every change.
) Improved license information
Error message is now returned if no valid multi-tenant license is found, and you do not need to restart the server after adding the license.
) Filter tenant accounts
On the main account management page, tenant accounts can be filtered by status and by high availability group.
) Audit trail entries logged when switching between accounts
Audit trail entries are added when a user switches from a main account to a tenant account or between tenant accounts.

Recommended For You