New Features

New features available in Cortex XSOAR 6.5, including Threat Intel, Unit 42, Threat Intel reports, case management and Platform improvements.
The following new features are categorized by product component.
Installation file hash:

Threat Intel Management

Cortex XSOAR 6.5 introduces the following new features.
Unit 42 Intel Service
Cortex XSOAR Threat Intel now includes access to the Unit 42 Intel service, enabling you to identify threats in your network and discover and contextualize trends.
Unit 42 Intel provides data from the following:
  • Palo Alto Networks WildFire (cloud based Malware sandbox)
  • PAN-DB URL Filtering database
  • Palo Alto Networks’ internal Unit 42 threat intelligence team
  • Third-party feeds (including both closed and open-source intelligence)
Unit 42 Intel data is continually updated to include the most recent threat samples analyzed by Palo Alto Networks, enabling you to keep up to date with threat trends and take a proactive approach to securing your network.
Indicator Queries
You can now perform lookups in Unit 42 Intel for IP addresses, URLs, domains, and SHA256 hashes.
Sample Analysis
Unit 42 Intel provides a full report of activities, properties, and behaviors associated with file samples, enabling you to find links between attacks and analyze threat patterns.
Sessions & Submissions
You can now use sessions and submissions data from Palo Alto Networks Firewalls, Wildfire, Cortex XDR, Prisma Saas, and Prisma Access, for investigation and analysis.
Add Unit 42 Intel data to Cortex XSOAR
You can choose to add Unit 42 intel data for specific indicators to your Cortex XSOAR Threat Intel library, and use this data in playbooks and automations.
Threat Intel Reports
Cortex XSOAR 6.5 includes new Threat Intel reporting capabilities. Threat Intel reports summarize and share threat intelligence research conducted within your organization by threat analysts and threat hunters. Threat intelligence reports help you to communicate the current threat landscape to internal and external stakeholders, whether in the form of high-level summary reports for C-level executives, or detailed, tactical reports for the SOC and other security stakeholders.
This feature enables you to do the following:
  • Create Threat Intel reports based on out-of-the-box or customized layouts, while applying rich formatting to the body of the report.
  • Publish a report within Cortex XSOAR to share with other users.
  • Export a report to PDF format.


Marketplace login
In the Marketplace, when trying to login/register with the Customer Support Portal, the sign in message has been improved to include how to fix the site cannot be reached error message.
Filter by content packs that use integrations
You can now filter the Marketplace by Content Packs, which use integrations that you have added instances (whether or not they are enabled).
Filter by content packs that you have installed
You can now filter the list of Content Packs in the Marketplace for packs that you have installed using the
Show installed
toggle button. This button is disabled by default.
Search for integrations that work with a specific content pack
When viewing a content pack in the Marketplace, you can now click on an integration image icon in the
section to search the Marketplace for that integration.

Case Management

Lists can now be included in a Content Pack and be installed from the Marketplace.
You can also do the following:
  • Upload/download lists
  • In a remote repository, lists can be pushed to a production environment.
  • (
    ) You can now propagate lists from the Main Account to Tenants.
Elasticsearch Migration - additional flags
When migrating to Elasticsearch, you now have the option to log individual failed items either in a single meta file, or a file per item failure by using the log-failed-items flag.
Enable go to link for script widgets
When creating a custom widget using an automation script, you can now add a script that pivots data in the dashboard and between pages.
command to 'never expire'
Indicators can now be set to never expire by using the
command. For example,
!setIndicators expiration="Never"'
General Mobile improvements
Mobile supports latest markdown improvements.
Remove tags from War Room entries
You can now remove one or more tags from War Room entries by using the
Labels indicating whether a input/output task is overridden
Playbook task cards now show labels indicating if a task input or output has been overridden.
Incident/Indicator fetch limit
Hosted development instances only
) To prevent workflow overloads that led to system crashes, Cortex XSOAR now limits the number of incidents and indicators that can be fetched within a given time frame. The new limits are:
  • 1000 indicators within a 24 hour period.
  • 1000 incidents within a 24 hour period.
For on-premises customers, these limits are disabled by default, but are configurable through the following server configurations.
: Whether fetch limits are imposed for indicators. Value: true (default) or false.
: The maximum number of total indicators that can be fetched. Default is 5,000,000.
Message in War Room for posts hidden by filters
When you add a message in the War Room that is hidden by a filter, a message now appears indicating that you need to clear filters to see the message.
Docker Tags
The following Docker tags have been updated:
  • The default PowerShell Docker image used by integrations/automations, which do not explicitly specify a docker image has been updated to
  • The Python base Docker image used by
    has been updated to python3-deb:
Allocate account ports by the operating system
) When starting a tenant account, new tenants (or tenants that have been moved in High availability) listen on a port assigned by the operating system. This prevents tenants failing to start because they may be trying to start with a used port.
If upgrading, existing tenants keep listening on ports 18501 for backwards capability.
In rare circumstances, it is possible that a dynamically allocated port of a new tenant may occupy a preserved port of an old tenant when it is not running. The old account will not be able to use its port and will fail to run. The workaround is to stop both accounts, start the old tenant first, and then the new (dynamic port) tenant.
Batch tenant requests via host
) Requests from the Main Account to tenants are now faster. The Main Account now requests the data from the hosts (and the hosts locally get data from the account).
Where there are several hosts, each request to the host is done in parallel.


Settings Hierarchy
page has been now reorganized by adding a new
tab, which includes the following:
  • Incidents
    : Types, Incident Fields, Evidence Fields, Layouts and Classification & Mapping
  • Indicators
    : Types, Fields, Layouts, and Classification & Mapping
  • Threat Intel Reports
    : Types, Fields and Layouts
Add None Permission to Roles
When defining or editing a role, you can now revoke read permissions for
Settings - Integrations
Roles that have read permissions to content items, retain partial read access to these categories.
Users can be set as away
Users can now appear active or away. In dropdown lists other users see them as active or away, such as when assigning an owner to an incident. Users can also type
in the command line to set their status.
Assign Marketplace tags to be used as a filter
When viewing details of a Content Pack, you can click a tag that is associated with the Content Pack. The Marketplace search page reappears with that specific tag applied as a filter and only Content packs associated with that tag are shown.
New MTTR widget icon
The MTTR widget has a new icon ( ). The icon displays the threshold color instead of using a background color for the entire widget.
Data collection task’s “use first as default” option takes the definition from the fields matching attribute.
Previously, if the field configuration changed, the question and options did not change. Now, for single select field-based questions in the data collection task, the “use first as default” definition is taken from the field’s matching attribute.
Pre-process logs
You can now store separate pre-process logs, by setting the server configuration
Select multiple roles for the
playbook task
You can now select multiple roles for the
playbook task.
Open a global search result in a new tab
You can now open a global search result in a new tab (using the middle mouse button, command click, or 
Open link in new tab
Added support for ad-hoc sub playbooks
API now supports adding playbooks in addition to automations and manual tasks.
Added support for deleting generic object instance
You can now delete a generic object instance.
Added communication task authentication for non-Cortex XSOAR users
You can now provide user authentication to non-Cortex XSOAR users so they can access communication task forms that are sent to them.
Add minutes to SLA
You can now select hours and minutes when adding/editing an SLA task and creating or editing an SLA field.
Set markdown template for field
When editing a layout and using a Markdown field, you can now see the template assigned to that Markdown field.
Copy values in a Widget
You can now copy the value directly from the relevant widget.
Improved performance
You can now limit the amount of data stored in the parent entry to improve performance.
Launch debugger from locked system playbook
Locked system playbooks can now be opened directly in the debugger, without needing to open an unlocked playbook first.
Remote Repository Improvement
Improved performance when pushing content from the development environment to the remote repository.
Flag for version number
A new flag has been added that provides the Cortex XSOAR version number.
/usr/local/demisto/server --version
New Array Field
When creating or editing an incident field, the multi select field type has been improved to include both multi select and array options. In addition to the standard multi select option of a pre-filled list, you can now also accept a comma separated array.
Key passphrase for custom certificates
When configuring an engine, you can now use a key passphrase for your custom certificate.
Replace conflicting content items on a production environment
Remote Repositories
) When installing content on a production environment, if a conflict arises with the remote repository, you can now resolve it by selecting one of the following:
  • Skip
    : Keeps the local content in your production environment.
  • Replace
    : Deletes the local content and installs the content from the remote repository.
Migrate to FIPS
Customers can now migrate from a non-FIPs environment to the FIPS version of Cortex XSOAR
TIM feature message
When attempting to access a feature requiring a TIM license, if a customer does not have a TIM license, a pop up message explains this is a TIM feature and provides a link to learn more about obtaining a license.
Delete report confirmation
A confirmation message is now displayed when you delete a report.
Display message to users before login
You can now configure a message to appear to users on the login page before login to Cortex XSOAR.
Create JSON output of system diagnostics data for support tickets
A new
command allows you to create a JSON output of system diagnostics data. You can attach this output to open support tickets related to system performance to provide Customer Support with relevant information.
Enhanced Markdown capabilities
Markdown capabilities in Cortex XSOAR have been enhanced to include additional editing options:
  • Underline
  • Headings
  • Text alignment
  • Text color / text background color
  • Tables
  • Upload a local image
  • Font size (not exposed in Markdown editor)
Engine logs
The Engine log bundle now also includes Docker information.
Download standby server logs
In a Live Backup environment, downloading system logs from the production server (
) now also retrieves the standby server logs, if they exist. In addition, the standby server homepage now includes a button that lets you download the standby server logs.
The network.log provides information on newer Linux systems.
now provides information on newer Linux systems as well as on older ones. In previous Cortex XSOAR versions the
was empty for the newer Linux systems.
Refresh the number of licenses in use on demand
A user with administrator privileges can manually refresh the number of users in use. This enables you to retrieve immediate feedback on licensing when disabling accounts, removing users, or when provisioning new users. When the number of users exceeds the number of licenses, and you want to clear the alert:
  1. From the
    Users and Roles
    page, delete users.
  2. From the
    tab, in the
    section, click
    ‘Users in Use.’
Date time formats
Additional date time formats are now supported.
Email notification when worker count is full
When the worker count for the Cortex XSOAR server is full, the system will now send an email notification instructing you to increase the value of the
server configuration.
File Indicator - Tooltips
In the Threat Intel page, when selecting a File Indicator, a tooltip has been added while hovering over the Malicious samples, Suspicious samples, and Unknown samples columns in the WildFire Dynamic table.
Improved multi-tenant synchronization
) Improved synchronization between tenants and hosts in the event of tenant downtime. Roles, users, API keys and tenant secrets are synced into tenant accounts by their hosts. Upon host registration (done periodically), the tenant account manager sends the host the relevant data for its accounts. If any of the tenant accounts are out of sync (e.g. tenant was down while a role was updated), the host syncs that account.
Account Filtering
) In the Main Account, you can select which tenant account’s dashboard, incidents, and indicators (Threat Intel page) to view and take action as necessary without having to switch accounts. This enables you to view information quickly and more efficiently.
Multi-tenant time synchronization
) The system now checks whether the local time is synced between the Main Account and the hosts. If not, a warning is displayed in
Account Management
Multi-tenant sync error messages
) When a sync error occurs, an informative error message is displayed.

Recommended For You