New Features

New features available in Cortex XSOAR 6.6, including Threat Intel, case management and Platform improvements.
The following new features are categorized by product component.
Installation file hash:

Threat Intel Management

Improved indicator sorting
You can now sort indicators when using the
commands in scripts, integrations, or in the CLI. You can choose which fields are sorted, whether they are in ascending or descending order, and also apply secondary sorting.
New field trigger scripts for indicators
You can now associate indicator fields with trigger automation scripts that check for field changes, and then take actions based on them. These scripts can perform any action when the conditions are met. Indicator field trigger scripts allow indicators to become a proactive force within Cortex XSOAR. For example, you can define a script that will run when the
field of an indicator has changed, and which will fetch all incidents related to that indicator, and take any action that is configured (reopen, change severity, etc.).

Case Management

Improve the way investigation playbook is saved
Improved performance when running an investigation playbook, including the execution and the number of fetched incidents per hour.
Dynamically show/hide Incident/Indicator/Threat Intel reports layout sections and tabs
When customizing an incident, Indicator, and Threat Intel report layout, you can now add filters, so if the filters apply, the specific fields or tabs are shown in the layout. If the mandatory field is not shown in the layout, the user is not obliged to complete it.
Improved logic for data collection task expiry options
In the data collection task expiry options, you can now choose to configure both of the following options simultaneously, so that either one will trigger a stop to the playbook (previously, these options were mutually exclusive):
  1. Reaching the task SLA
  2. Receiving X number of replies
Show optional fields to analysts when they click on buttons
You can now define which optional fields to show analysts when they click on buttons in objects (incidents/indicators/threat intel reports). To support this, a new "Ask User" checkbox has been added next to optional script arguments in the button settings page of the Layout Builder.
Improved switching between hosts
) In a Live Backup environment, there is now improved hosts switching. This can prevent potential corrupted accounts/hosts.


Prevent editing a closed incident
You can now disable the ability to edit incident related data such as entries, fields, playbooks, etc after the incident is closed, by adding the
server configuration (set to
System Diagnostic Database section
In the
System Diagnostics
page, when using Elasticsearch, there is a new Database section with diagnostics for Elasticsearch latency, storage space, and version.
Playbook rendering is faster (Upgrade Rappid)
Upgraded the visual diagramming library (Rappid) to version 3.0 to manage performance.
Breakout tab/window for close forms and save data that is entered into the form
The close incident form is now movable so you can copy data from the background into it.
Edit a field's template text
For long text fields, you can now insert text to help analysts understand what values to enter.
Support for key-value and wide text arguments
Automations and commands now support argument types of key-value and wide text. You can now create a script that includes an API call without needing to build an integration.
Improved logging for Live Backup
When switching from Backup Server to Live Server, more detailed information about the switch is now added to the audit log.
Support for additional versions of Elasticsearch
Cortex XSOAR now officially supports Elasticsearch versions 7.4x to 7.16.2, including minor versions.
Change temp directory for engine upgrades
You can now change the temp directory used when initiating an engine upgrade via the UI
Hosted Service
) System Diagnostics
You can now view the percentage used for incoming incidents, stored indicators, and partition data, on the
System Diagnostics
page and receive alerts when you reach system thresholds.
Edit Inline Indicator/Incidents/Threat Intel report fields without the check mark
You can now save changes to Incident, Indicator, and Threat Intel report fields without the need to click the check mark, by adding the
configuration (set to
). The changes are automatically saved when clicking anywhere on the incident/indicator page or navigating to another page. You can also edit inline text fields anywhere in the field.
Query incidents to include when training a Machine Learning Model
When creating a machine learning model, you can add a query to include specific incidents when training a model, by selecting the
Query incidents to include in training
field. For example, if you use the phishing classifier to close incidents automatically without a manual review, you can train the model to include only those incidents that were not closed automatically.
New granular data permissions
A set of granular data permissions has been added to the read/write option of the Data permission (
), allowing you to define whether users can perform the following:
  • Edit incident properties
  • Change incident status
  • Delete an incident
  • Manage the incident Workplan
  • Edit indicators
The Chats permission has been removed from the system entirely.
Improved auto-complete in system search bars
The auto-complete experience in system search bars was improved.
Store Incident/Artifact Files in the Cloud
Cortex XSOAR provides the ability to save incident attachments and artifact files (for example, attachments uploaded to the War Room, or added via a Playbook) in a cloud storage bucket, as opposed to working with the standard local file system. This may be helpful if your environment has performance issues, such as high disk I/O utilization or a high storage volume.This feature is supported for GCP (using Google Cloud Storage), AWS (using Amazon S3), as well as Amazon S3-compatible products.
Store Artifact files in subfolders
When using the debugger, artifacts are now stored in subfolders by investigation ID.
Incident Mirroring Triggering and Troubleshooting
command was added to the XSOAR Mirroring integration. You can run this command from the War Room to debug a full mirroring run over existing incidents. You can add an incident ID to the command to get information about a specific incident. If no ID is given, the incident will be loaded from the War Room context.
The output of this command is a unique debug log file that includes logs for the entire mirroring flow. In addition, this debug log includes the content of the integrations' debug-mode logs.
This command triggers real mirroring actions, for example, updating incidents and fields.

Recommended For You