Known Issues - Release Notes - 6.8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Release Notes

Product
Cortex XSOAR
Version
6.8
Creation date
2022-09-02
Last date published
2023-07-02
End_of_Life
EoL
Category
Release Notes

The following table describes the known issues you need to consider when upgrading to Cortex v6.8.

Issue #

Issue

Description

42367

Mentions widget not working

In the War Room, when using the @ to notify a user (such as @admin), although the user is added to the incident, there is no record of the notification in the Mentions widget in the user's dashboard (My dashboard).

37537

Upgrade Common Types Content Pack

After upgrading to version 6.8 from a version earlier than 6.2, in the Marketplace, you need to reinstall or update the Common Types Content Pack to receive the latest indicator types and to create indicator relationships.

36500

Widgets on the Main Account displaying incorrect data

(Multi-tenant) When viewing widget data on the Main Account, in some cases the results returned may not be complete. If different tenants have different top incident type groups, for example, the aggregated data in the main account can be inaccurate. For example, Tenant A has 20 DoS incidents and 15 Authentication incidents. Tenant B has 10 Authentication incidents and 10 DoS incidents. The top result shown in the main account is DoS:20, even though there are 21 DoS incidents in the system and 25 Authentication incidents. When configuring widgets on the main account, setting higher limit values will improve accuracy.

38474

Tenant status does not appear correctly in the Main account

( Multi-tenant) In the Main accountACCOUNT MANAGEMENTAccount tab, occasionally, some tenants accounts are shown with down status, even though they are running and accessible from the host. This may occur when the host fails to register on the main server and the host has different IDs on the Main server database and the host database.

In the Main Server logs, you may see an error similar to this:

2021-06-18 02:32:47.0314 error Failed to register host [error 'Address ... some host address ... is already listed for incoming id 4, saved id 3 (8924)'] (source: /builds/gopath/src/github.com/demisto/server/services/host.go:600) 2021-06-18 02:33:23.0978 warning Failed updating HA group id on host ... some host address ... [error 'Address ... some host address ... is already listed for incoming id 4, saved id 3 (8924)'] (source: /builds/gopath/src/github.com/demisto/server/services/host.go:187)

If you encounter this problem, contact Customer Support.

44305

Pre-Process Rules using system-based automations

Pre-Process rules that use system-based automations such as GetIncidentsByQuery, by default, are run according to the defined role (Limited User). For example, if the GetIncidentsByQuery automation runs with the Limited User role, it also runs with the Limited User role in the Pre-Process rule. You can change the default by either detaching the automation and updating the RunAs field such as DbotRole, or create a wrapper automation with the required role set in the RunAs field. The wrapper automation calls the system-based automation. The system-based when called by the wrapper automation runs with the role assigned to the wrapper automation.

XSUP-12930

Different results for value queries

In the Threat Intel page, different values appear when entering value: in the search bar (at the top) than when using the !IFindIndicators query=value: command in the CLI.

44524

SAML Log in issue

(Multi-tenant) When trying to log in directly to the tenant via SAML, login can fail and the following error is issued:

error Cannot decrypt private key for saml [error 'Encryption error (10)']

If you encounter this issue, in the Main Account sync the SAML integration to the tenant account.

47141

Tenant marked notActive

(Multi-tenant) In some cases, in a multi-tenant deployment, a tenant account can be marked as notActive after an upgrade, and can no longer be accessed. If this occurs, contact Cortex XSOAR support for assistance in changing the notActive property in the database.

CRTX-56135

Indicator Expiration

Even when indicators expire, they may still appear and be searchable in Cortex XSOAR. If an indicator is scheduled to expire, the status does not change to expired until a weekly job runs and updates the Expiration Status field. If you need the job to run at a different frequency, contact Cortex XSOAR support.

Note

If you manually expire an indicator, the Expiration Status field is changed immediately.