New Features - Release Notes - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Release Notes

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-05
Last date published
2023-06-08
End_of_Life
EoL
Category
Release Notes

The following new features are categorized by product component.

  • Threat Intel Management

  • Case Management

  • Platform

Installation File Hash: 112622cb6e9ba3711088ccc8ba572bd3ae50ba43a71d0cdaa3a748658fa274a9

Threat Intel Management

Feature

Description

Improved indicator sorting

You can now sort indicators when using the findIndicators and searchIndicators commands in scripts, integrations, or in the CLI. You can choose which fields are sorted, whether they are in ascending or descending order, and also apply secondary sorting.

New field trigger scripts for indicators

You can now associate indicator fields with trigger automation scripts that check for field changes, and then take actions based on them. These scripts can perform any action when the conditions are met. Indicator field trigger scripts allow indicators to become a proactive force within Cortex XSOAR. For example, you can define a script that will run when the Verdict field of an indicator has changed, and which will fetch all incidents related to that indicator, and take any action that is configured (reopen, change severity, etc.).

Case Managment

Feature

Description

Improve the way investigation playbook is saved

Improved performance when running an investigation playbook, including the execution and the number of fetched incidents per hour.

Dynamically show/hide Incident/ Indicator/Threat Intel reports layout fields and tabs

When customizing an incident, Indicator, and Threat Intel report layout, you can now add filters, so if the filters apply, the specific fields or tabs are shown in the layout.

Improved logic for data collection task expiry options

In the data collection task expiry opons, you can now choose to configure both of the following opons simultaneously, so that either one will trigger a stop to the playbook (previously, these options were mutually exclusive):

  • Reaching the task SLA

  • Receiving X number of replies

Show optional fields to analysts when they click on buttons

You can now define which optional fields to show analysts when they click on buttons in objects (incidents/indicators/threat intel reports). To support this, a new "Ask User" checkbox has been added next to optional script arguments in the button settings page of the Layout Builder.

Improved switching between hosts

(Multi-tenant) In a Live Backup environment, there is now improved hosts switching. This can prevent potential corrupted accounts/hosts.

Platform

Feature

Description

Prevent editing a closed incident

You can now disable the ability to edit incident related data such as entries, fields, playbooks, etc. after the incident is closed, by adding the incident.prevent.modify.closed server configuration (set to true).

System Diagnostic Database section

In the System Diagnostics page, when using Elasticsearch, there is a new Database section with diagnostics for Elasticcsearch latency, storage space, and version.

Playbook rendering is faster (Upgrade Rappid)

Upgraded the visual diagramming library (Rappid) to version 3.0 to manage performance.

Breakout tab/window for close forms and save data that is entered into the form

The close incident form is now movable so you can copy data from the background into it.

Edit a field's template text

For long text fields, you can now insert text to help analysts understand what values to enter.

Support for key-value and wide text arguments

Automations and commands now support argument types of key-value and wide text. You can now create a script that includes an API call without needing to build an integration.

Improved logging for Live Backup

When switching from Backup Server to Live Server, more detailed information about the switch is now added to the audit log.

Support for additional versions of Elasticsearch

Cortex XSOAR now officially supports Elasticsearch versions 7.4x to 7.16.2, including minor versions.

Change temp directory for engine upgrades

You can now change the temp directory used when initiating an engine upgrade via the UI.

(Hosted Service) System Diagnostics

You can now view the percentage used for incoming incidents, stored indicators, and partition data, on the System Diagnostics page and receive alerts when you reach system thresholds.

Edit Inline Indicator/Incidents/Threat Intel report fields without the checkmark

You can now save changes to Incident, Indicator, and Threat Intel report fields without the need to click the checkmark, by adding the inline.edit.on.blur configuration (set to true). The changes are automatically saved when clicking anywhere on the incident/indicator page or navigating to another page. You can also edit inline text fields anywhere in the field.

Query incidents to include when training a Machine Learning Mode

When creating a machine learning model, you can add a query to include specific incidents when training a model, by selecting the Query incidents to include in training field. For example, if you use the phishing classifier to close incidents automatically without a manual review, you can train the model to include only those incidents that were not closed automatically.

New granular data permissions

A set of granular data permissions has been added to the read/write option of the Data permission (Settings>USERS AND ROLES>Roles), allowing you to define whether users can perform the following:

  • Edit incident properties

  • Change incident status

  • Delete an incident

  • Manage the incident Work Plan

  • Edit indicators

The Chats permission has been removed from the system entirely.

Improved auto-complete in system search bars

The auto-complete experience in system search bars was improved.

Store Incident/Artifact Files in the Cloud

Cortex XSOAR provides the ability to save incident attachments and artifact files (for example, attachments uploaded to the War Room, or added via a Playbook) in a cloud storage bucket, as opposed to working with the standard local file system. This may be helpful if your environment has performance issues, such as high disk I/O utilization or a high storage volume. This feature is supported for GCP (using Google Cloud Storage), AWS (using Amazon S3), as well as Amazon S3-compatible products.

Store Artifact files in subfolders

When using the debugger, artifacts are now stored in subfolders by investigation ID.

Incident Mirroring Triggering and Troubleshooting

The triggerDebugMirroringRun command was added to the XSOAR Mirroring integration. You can run this command from the War Room to debug a full mirroring run over existing incidents. You can add an incident ID to the command to get information about a specific incident. If no ID is given, the incident will be loaded from the War Room context. The output of this command is a unique debug log file that includes logs for the entire mirroring flow. In addition, this debug log includes the content of the integrations' debug-mode logs.

Note

This command triggers real mirroring actions, for example, updating incidents and fields.