Known Issues

Cortex XSOAR 6.8 known issues.
The following table describes the known issues you need to consider when upgrading to Cortex v6.8.
Issue #
Mentions widget not working
In the War Room, when using the
to notify a user (such as
), although the user is added to the incident, there is no record of the notification in the Mentions widget in the user's dashboard (My dashboard).
Upgrade Common Types Content Pack
After upgrading to version 6.8 from a version earlier than 6.2, in the Marketplace, you need to reinstall or update the
Common Types
Content Pack to receive the latest indicator types and to create indicator relationships.
Widgets on the Main Account displaying incorrect data
) When viewing widget data on the Main Account, in some cases the results returned may not be complete. If different tenants have different top incident type groups, for example, the aggregated data in the main account can be inaccurate. For example, Tenant A has 20 DoS incidents and 15 Authentication incidents. Tenant B has 10 Authentication incidents and 10 DoS incidents. The top result shown in the main account is DoS:20, even though there are 21 DoS incidents in the system and 25 Authentication incidents. When configuring widgets on the main account, setting higher limit values will improve accuracy.
Tenant status does not appear correctly in the Main account
) In the
Main account
tab, occasionally, some tenants accounts are shown with
status, even though they are running and accessible from the host. This may occur when the host fails to register on the main server and the host has different IDs on the Main server database and the host database.
In the Main Server logs, you may see an error similar to this:
2021-06-18 02:32:47.0314 error Failed to register host [error 'Address ... some host address ... is already listed for incoming id 4, saved id 3 (8924)'] (source: /builds/gopath/src/ 2021-06-18 02:33:23.0978 warning Failed updating HA group id on host ... some host address ... [error 'Address ... some host address ... is already listed for incoming id 4, saved id 3 (8924)'] (source: /builds/gopath/src/
If you encounter this problem, contact Customer Support.
Pre-Process Rules using system-based automations
Pre-Process rules that use system-based automations such as
, by default, are run according to the defined role (
Limited User
). For example, if the
automation runs with the
Limited User
role, it also runs with the
Limited User
role in the Pre-Process rule. You can change the default by either detaching the automation and updating the
field such as
, or create a wrapper automation with the required role set in the
field. The wrapper automation calls the system-based automation. The system-based when called by the wrapper automation runs with the role assigned to the wrapper automation.
Incident/indicator auto complete search not working as expected
In some cases the auto complete search dialog box (Incidents/Indicator search) does not provide suggestions for custom fields created by the user. As a workaround, type the name of the custom field in the search dialog box. For example:
Filters and Transformers
dialog box does not always appear in the incident layout builder
Incident Layout builder: In some cases, when adding action buttons, the
Filters and transformers
dialog box does not appear.
SAML Log in issue
) When trying to log in directly to the tenant via SAML, login can fail and the following error is issued:
error Cannot decrypt private key for saml [error 'Encryption error (10)']
If you encounter this issue, in the Main Account sync the SAML integration to the tenant account.
Tenant marked notActive
) In some cases, in a multi-tenant deployment, a tenant account can be marked as notActive after an upgrade, and can no longer be accessed. If this occurs, contact Cortex XSOAR support for assistance in changing the notActive property in the database.
Indicator Expiration
Even when indicators expire, they may still appear and are searchable in Cortex XSOAR. Expired indicators are not updated until a job updates, which runs once a week. This job checks for newly expired indicators and updates the Expiration Status field. If an indicator has expired, the status does not change to expired, until the weekly job runs.
If you need the job to run at a different frequency, contact Cortex XSOAR support.

Recommended For You