New Features
New features available in Cortex XSOAR 6.5, including
Threat Intel, Unit 42, Threat Intel reports, case management and
Platform improvements.
The following new features are categorized
by product component.
Installation file hash:
e74cbf2993a2adb529b2cdfe9ecd749e43ee69b676ca8e26ec17f416005c0bb9
Threat Intel Management
Cortex XSOAR 6.5 introduces the following new features.
Unit 42 Intel Service
Cortex XSOAR Threat Intel now includes access to the Unit 42
Intel service, enabling you to identify threats in your network
and discover and contextualize trends.
Unit 42 Intel provides data from the following:
- Palo Alto Networks WildFire (cloud based Malware sandbox)
- PAN-DB URL Filtering database
- Palo Alto Networks’ internal Unit 42 threat intelligence team
- Third-party feeds (including both closed and open-source intelligence)
Unit 42 Intel data is continually updated to include the most
recent threat samples analyzed by Palo Alto Networks, enabling you
to keep up to date with threat trends and take a proactive approach
to securing your network.
Feature | Description |
|---|---|
Indicator Queries | You can now perform lookups in Unit 42 Intel
for IP addresses, URLs, domains, and SHA256 hashes. |
Sample Analysis | Unit 42 Intel provides a full report of activities, properties,
and behaviors associated with file samples, enabling you to find
links between attacks and analyze threat patterns. |
Sessions & Submissions | You can now use sessions and submissions data from
Palo Alto Networks Firewalls, Wildfire, Cortex XDR, Prisma Saas,
and Prisma Access, for investigation and analysis. |
Add Unit 42 Intel data to Cortex XSOAR | You can choose to add Unit 42 intel data for
specific indicators to your Cortex XSOAR Threat Intel library, and
use this data in playbooks and automations. |
Threat Intel Reports
Cortex XSOAR 6.5 includes new Threat Intel reporting capabilities.
Threat Intel reports summarize and share threat intelligence research
conducted within your organization by threat analysts and threat
hunters. Threat intelligence reports help you to communicate the
current threat landscape to internal and external stakeholders,
whether in the form of high-level summary reports for C-level executives, or
detailed, tactical reports for the SOC and other security stakeholders.
This feature enables you to do the following:
- Create Threat Intel reports based on out-of-the-box or customized layouts, while applying rich formatting to the body of the report.
- Publish a report within Cortex XSOAR to share with other users.
- Export a report to PDF format.
Marketplace
Feature | Description |
|---|---|
Marketplace login | In the Marketplace, when trying to login/register
with the Customer Support Portal, the sign in message has been improved
to include how to fix the site cannot be reached error message. |
Filter by content packs that use integrations | You can now filter the Marketplace by Content
Packs, which use integrations that you have added instances (whether
or not they are enabled). |
Filter by content packs that you have installed | You can now filter the list of Content Packs
in the Marketplace for packs that you have installed using the Show
installed toggle button. This button is disabled by
default. |
Search for integrations that work with a
specific content pack | When viewing a content pack in the Marketplace,
you can now click on an integration image icon in the WORKS
WITH THE FOLLOWING INTEGRATIONS section to search the Marketplace
for that integration. |
Case Management
Feature | Description |
|---|---|
Lists | Lists can now be included in a Content Pack and
be installed from the Marketplace. You can also do the following:
|
Elasticsearch Migration - additional flags | When migrating to Elasticsearch, you now have
the option to log individual failed items either in a single meta
file, or a file per item failure by using the log-failed-items flag. |
Enable go to link for script widgets | When creating a custom widget using an automation script,
you can now add a script that pivots data in the dashboard and between
pages. |
setindicator command
to 'never expire' | Indicators can now be set to never expire by
using the !setIndicators command. For example, !setIndicators indicatorsValue=watson.com expiration="Never"' . |
General Mobile improvements | Mobile supports latest markdown improvements. |
Remove tags from War Room entries | You can now remove one or more tags from War Room
entries by using the resetEntriesTags command. |
Labels indicating whether a input/output
task is overridden | Playbook task cards now show labels indicating
if a task input or output has been overridden. |
Incident/Indicator fetch limit | ( Hosted development instances only )
To prevent workflow overloads that led to system crashes, Cortex
XSOAR now limits the number of incidents and indicators that can
be fetched within a given time frame. The new limits are:
create.indicators.limit.by.total.amount :
Whether fetch limits are imposed for indicators. Value: true (default)
or false.create.indicators.limit.by.total.amount.max.allowed :
The maximum number of total indicators that can be fetched. Default
is 5,000,000. |
Message in War Room for posts hidden by
filters | When you add a message in the War Room that
is hidden by a filter, a message now appears indicating that you
need to clear filters to see the message. |
Docker Tags | The following Docker tags have been updated:
|
Allocate account ports by the operating
system | ( Multi-tenant ) When starting a tenant account,
new tenants (or tenants that have been moved in High availability)
listen on a port assigned by the operating system. This prevents
tenants failing to start because they may be trying to start with
a used port.If upgrading, existing tenants keep listening on
ports 18501 for backwards capability. In rare circumstances,
it is possible that a dynamically allocated port of a new tenant
may occupy a preserved port of an old tenant when it is not running.
The old account will not be able to use its port and will fail to
run. The workaround is to stop both accounts, start the old tenant first,
and then the new (dynamic port) tenant. |
Batch tenant requests via host | ( Multi-tenant ) Requests from the Main Account
to tenants are now faster. The Main Account now requests the data
from the hosts (and the hosts locally get data from the account). Where
there are several hosts, each request to the host is done in parallel. |
Platform
Feature | Description |
|---|---|
Settings Hierarchy | The Settings page has
been now reorganized by adding a new OBJECTS SETUP tab, which
includes the following:
|
Add None Permission to Roles | When defining or editing a role, you can now
revoke read permissions for Settings - Integrations . Roles
that have read permissions to content items, retain partial read
access to these categories. |
Users can be set as away | Users can now appear active or away. In dropdown lists
other users see them as active or away, such as when assigning an
owner to an incident. Users can also type setYourselfAs in
the command line to set their status. |
Assign Marketplace tags to be used as a
filter | When viewing details of a Content Pack, you
can click a tag that is associated with the Content Pack. The Marketplace
search page reappears with that specific tag applied as a filter
and only Content packs associated with that tag are shown. |
New MTTR widget icon | The MTTR widget has a new icon (
). The icon
displays the threshold color instead of using a background color
for the entire widget. |
Data collection task’s “use first as default”
option takes the definition from the fields matching attribute. | Previously, if the field configuration changed,
the question and options did not change. Now, for single select
field-based questions in the data collection task, the “use first
as default” definition is taken from the field’s matching attribute. |
Pre-process logs | You can now store separate pre-process logs,
by setting the server configuration preprocess.logs.file to true . |
Select multiple roles for the setIncident playbook
task | You can now select multiple roles for the setIncident playbook task. |
Open a global search result in a new tab | You can now open a global search result in
a new tab (using the middle mouse button, command click, or ). |
Added support for ad-hoc sub playbooks | The addTask API now supports
adding playbooks in addition to automations and manual tasks. |
Added support for deleting generic object
instance | You can now delete a generic object instance. |
Added communication task authentication
for non-Cortex XSOAR users | You can now provide user authentication to non-Cortex
XSOAR users so they can access communication task forms that
are sent to them. |
Add minutes to SLA | You can now select hours and minutes when adding/editing
an SLA task and creating or editing an SLA field. |
Set markdown template for field | When editing a layout and using a Markdown
field, you can now see the template assigned to that Markdown field. |
Copy values in a Widget | You can now copy the value directly from the relevant
widget. |
Improved performance | You can now limit the amount of data stored
in the parent entry to improve performance. |
Launch debugger from locked system playbook | Locked system playbooks can now be opened directly
in the debugger, without needing to open an unlocked playbook first. |
Remote Repository Improvement | Improved performance when pushing content from the
development environment to the remote repository. |
Flag for version number | A new flag has been added that provides the
Cortex XSOAR version number. /usr/local/demisto/server --version . |
New Array Field | When creating or editing an incident field,
the multi select field type has been improved to include both multi
select and array options. In addition to the standard multi select
option of a pre-filled list, you can now also accept a comma separated
array. |
Key passphrase for custom certificates | When configuring an engine, you can now use
a key passphrase for your custom certificate. |
Replace conflicting content items on a production environment | ( Remote Repositories ) When installing content
on a production environment, if a conflict arises with the remote
repository, you can now resolve it by selecting one of the following:
|
Migrate to FIPS | Customers can now migrate from a non-FIPs environment
to the FIPS version of Cortex XSOAR |
TIM feature message | When attempting to access a feature requiring
a TIM license, if a customer does not have a TIM license, a pop
up message explains this is a TIM feature and provides a link to
learn more about obtaining a license. |
Delete report confirmation | A confirmation message is now displayed when
you delete a report. |
Display message to users before login | You can now configure a message to appear to
users on the login page before login to Cortex XSOAR. |
Create JSON output of system diagnostics
data for support tickets | A new getSystemDiagnostics command
allows you to create a JSON output of system diagnostics data. You
can attach this output to open support tickets related to system performance
to provide Customer Support with relevant information. |
Enhanced Markdown capabilities | Markdown capabilities in Cortex XSOAR have
been enhanced to include additional editing options:
|
Engine logs | The Engine log bundle now also includes Docker information. |
Download standby server logs | In a Live Backup environment, downloading system logs
from the production server () now also retrieves the
standby server logs, if they exist. In addition, the standby server
homepage now includes a button that lets you download the standby
server logs. |
The network.log provides information on
newer Linux systems. | The network.log now provides
information on newer Linux systems as well as on older ones. In
previous Cortex XSOAR versions the network.log was empty
for the newer Linux systems. |
Refresh the number of licenses in use on
demand | A user with administrator privileges can manually refresh
the number of users in use. This enables you to retrieve immediate
feedback on licensing when disabling accounts, removing users, or
when provisioning new users. When the number of users exceeds the
number of licenses, and you want to clear the alert:
|
Date time formats | Additional date time formats are now supported. |
Email notification when worker count is
full | When the worker count for the Cortex XSOAR
server is full, the system will now send an email notification instructing
you to increase the value of the workers.count.Tasks server
configuration. |
File Indicator - Tooltips | In the Threat Intel page, when selecting a
File Indicator, a tooltip has been added while hovering over the
Malicious samples, Suspicious samples, and Unknown samples columns
in the WildFire Dynamic table. |
Improved multi-tenant synchronization | ( Multi-tenant ) Improved synchronization between
tenants and hosts in the event of tenant downtime. Roles, users,
API keys and tenant secrets are synced into tenant accounts by their
hosts. Upon host registration (done periodically), the tenant account
manager sends the host the relevant data for its accounts. If any
of the tenant accounts are out of sync (e.g. tenant was down while
a role was updated), the host syncs that account. |
Account Filtering | ( Multi-tenant ) In the Main Account,
you can select which tenant account’s dashboard, incidents, and
indicators (Threat Intel page) to view and take action as necessary
without having to switch accounts. This enables you to view information
quickly and more efficiently. |
Multi-tenant time synchronization | ( Multi-tenant ) The system now checks whether
the local time is synced between the Main Account and the hosts.
If not, a warning is displayed in . |
Multi-tenant sync error messages | ( Multi-tenant ) When a sync error occurs, an
informative error message is displayed. |
