Cortex XSOAR 6.8 known issues.
The following table describes the known issues you need to consider when upgrading to Cortex v6.8.
Mentions widget not working
In the War Room, when using the
@to notify a user (such as
@admin), although the user is added to the incident, there is no record of the notification in the Mentions widget in the user's dashboard (My dashboard).
Upgrade Common Types Content Pack
After upgrading to version 6.8 from a version earlier than 6.2, in the Marketplace, you need to reinstall or update the
Common TypesContent Pack to receive the latest indicator types and to create indicator relationships.
Widgets on the Main Account displaying incorrect data
Multi-tenant) When viewing widget data on the Main Account, in some cases the results returned may not be complete. If different tenants have different top incident type groups, for example, the aggregated data in the main account can be inaccurate. For example, Tenant A has 20 DoS incidents and 15 Authentication incidents. Tenant B has 10 Authentication incidents and 10 DoS incidents. The top result shown in the main account is DoS:20, even though there are 21 DoS incidents in the system and 25 Authentication incidents. When configuring widgets on the main account, setting higher limit values will improve accuracy.
Tenant status does not appear correctly in the Main account
Multi-tenant) In the
tab, occasionally, some tenants accounts are shown with
downstatus, even though they are running and accessible from the host. This may occur when the host fails to register on the main server and the host has different IDs on the Main server database and the host database.
In the Main Server logs, you may see an error similar to this:
If you encounter this problem, contact Customer Support.
Pre-Process Rules using system-based automations
Pre-Process rules that use system-based automations such as
GetIncidentsByQuery, by default, are run according to the defined role (
Limited User). For example, if the
GetIncidentsByQueryautomation runs with the
Limited Userrole, it also runs with the
Limited Userrole in the Pre-Process rule. You can change the default by either detaching the automation and updating the
RunAsfield such as
DbotRole, or create a wrapper automation with the required role set in the
RunAsfield. The wrapper automation calls the system-based automation. The system-based when called by the wrapper automation runs with the role assigned to the wrapper automation.
Incident/indicator auto complete search not working as expected
In some cases the auto complete search dialog box (Incidents/Indicator search) does not provide suggestions for custom fields created by the user. As a workaround, type the name of the custom field in the search dialog box. For example:
Filters and Transformersdialog box does not always appear in the incident layout builder
Incident Layout builder: In some cases, when adding action buttons, the
Filters and transformersdialog box does not appear.
SAML Log in issue
Multi-tenant) When trying to log in directly to the tenant via SAML, login can fail and the following error is issued:
error Cannot decrypt private key for saml [error 'Encryption error (10)']
If you encounter this issue, in the Main Account sync the SAML integration to the tenant account.
Tenant marked notActive
Multi-tenant) In some cases, in a multi-tenant deployment, a tenant account can be marked as notActive after an upgrade, and can no longer be accessed. If this occurs, contact Cortex XSOAR support for assistance in changing the notActive property in the database.
Even when indicators expire, they may still appear and are searchable in Cortex XSOAR. Expired indicators are not updated until a job updates, which runs once a week. This job checks for newly expired indicators and updates the Expiration Status field. If an indicator has expired, the status does not change to expired, until the weekly job runs.
If you need the job to run at a different frequency, contact Cortex XSOAR support.
Recommended For You
Recommended videos not found.