New Features

New features available in Cortex XSOAR 6.8, including Threat Intel, case management and Platform improvements.
The following new features are categorized by product component.
Installation file hash:

Deployment Wizard

When installing or updating the Malware content pack, a new
tab guides you step-by-step to quickly adopt the Malware use case. The Deployment Wizard significantly reduces the time required to set up your use case. The wizard guides you through the process of setting up your content pack for your specific use case, including:
  • Setting up a fetching integration
  • Setting up a playbook
  • Setting up any required supporting integrations
  • Enabling the fetching integration instance


Error Handling in Playbooks
When creating/editing a standard task that uses an automation or a conditional task that uses an automation, you can select the following from the
On Error
  • Number of retries
  • Retry interval (seconds)
  • Error Handling
    : Determines how a playbook task behaves if there are automation errors during execution.
    : The playbook stops if the task errors.
    : The playbook continues to execute if the task errors.
    Continue on error path
    : If the task errors, the playbook continues on an error path. You have the option to create a separate, standard path or use a separate error path, which can handle all errors.
New custom playbooks are set to quiet mode
When creating a new custom playbook, by default, the playbook is set to
Quiet Mode
to improve system performance.


Embedded Videos in Content Packs
An embedded YouTube video viewer is now supported in content packs. These videos walk you through the content including the playbooks, incident types, testing, etc.

Case Management

HTTP, HTTPS, and SSH are now supported for remote repositories
You can now connect to a remote repository using HTTP or HTTPS as well as SSH.
API Endpoint Mappers on a production environment
In a remote repository, you can now add API Endpoint mapping directly on the production machine.
Add the group name flag to the installation file
When installing the server, you can now select the default Cortex XSOAR group name by adding the
-system-group-name=<group name>
flag to the installation file.
Auto suggestions for indicator types for Threat Intel
For manual indicator creation, there is now an auto suggest prompt for indicator types.


Support Cortex XSOAR on RHEL 8.5
Cortex XSOAR now supports RHEL 8.5.
Exclude items from local changes in remote repositories
You can now exclude content items on your development machine from syncing with your production machine. Excluded items do not appear in the local changes table.
Control which users can create API keys
You can now select which roles have read and read/write permissions when creating API keys. By default, all users can create API keys.
Track API rate limit errors
Some content packs now contain dashboards and widgets that can track API rate limit errors, which is useful for troubleshooting and to make decisions about whether to enrich indicators.
You can define a widget to see the API rate limiting error of third party products through a period of time (such as day/week) and to understand if there are tools that are not using all of the bought quota.
The widget enables you to visualize your API usage and provides guidance on when to retry commands that have failed due to rate limiting.
To add a widget, in the Widget Builder, select the following:
  1. Data Source:
    SOAR Metrics
  2. Query:
    type: integration
  3. From the
    tab, in the
    field, select
    Total API Calls
  4. In the
    Group by
    field, select
    API Response Type
Dynamic sections are refreshed
The refresh button now refreshes all dynamic sections for incident and indicator layouts.
Integration fetch history
When fetching or mirroring an integration or feed, you can now see the fetch history, including the last run, source ID, duration, etc. This can assist with errors, enabling you to find the root cause of the problem.
Notification of breaking changes
When updating or installing a content pack, if the pack contains changes that break backward compatibility, the details are now displayed for you to review before deciding to proceed with installation.
Content Pack Update Notifications
You can now receive daily notifications of Marketplace Content Packs that have available updates.
Support for operating system git
You can now use your operating system git installation with a remote repository.

Recommended For You