New Features - Release Notes - 6.11 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Release Notes
Product
Cortex XSOAR
Version
6.11
Creation date
2022-12-12
Last date published
2023-12-11
Category
Release Notes

The following new features are categorized by product component.

  • Improved Upgrade Process for Multi-Tenant Deployments

  • Case Management

  • Platform

Improved Upgrade Process for Multi-Tenant Deployments

You can now upgrade a multi-tenant deployment in stages, to limit downtime. Previously, after upgrading the main server, all host servers had to be upgraded before the main server could be restarted and functionality restored. From this version, after upgrading the main server, you can upgrade all of the host servers or leave one or more host servers one version behind, temporarily. The main server can be restarted before you upgrade the host servers, limiting downtime.

Limited functionality is supported if the host server is one version behind the main server. For example, you can continue to use Cortex XSOAR if the main server is Cortex XSOAR v6.11 and some or all of the host servers are still running Cortex XSOAR v6.10.

During this period, when host servers are one version behind, you can still manage incidents and indicators and use dashboards. You can’t create accounts or move accounts on a host that is not running the same version as the main server. You also can’t propagate any content from the main server to host servers that are not running the same Cortex XSOAR version. This includes:

  • Playbooks

  • Scripts

  • Integrations

  • Indicator fields

  • Incident fields

  • Evidence fields

  • Indicator types

  • Incident types

  • Pre-process rules

  • Lists

  • Widgets

  • Dashboards

  • Incident layouts

  • Indicator layouts

For more information, see Upgrade Your Multi-Tenant Deployment.Upgrade Your Multi-Tenant Deployment

Case Management

Feature

Description

Remove Users Data

After deleting a user, you can now clear the user's data from content, such as active incidents and investigations, automations, etc., by doing one of the following:

  • Running the clearUsersData command in the CLI

  • Running a playbook

  • Adding server configurations

For more information, see Remove a User.Remove a User

Playbook Performance

Substantial improvements of playbook performance including context operations, indicator extraction and playbook execution.

Deleting an Account

(Multi-tenant) In an Elasticsearch environment, after deleting an account, the Elasticsearch indices for the account are now closed and the data is retained. If you want to create a new account with the same name as the deleted account, you must first either reopen the closed indices (to use the existing data for the new account) or delete the closed indices.

Note

You cannot create a new account with the same name until you delete or open the closed indices.

RHEL v9.1

Cortex XSOAR now supports RHEL v9.1.

Platform

Feature

Description

New Menu Navigation

The following menu items have been moved:

  • Pre-Process Rules has moved from SettingsINTEGRATIONSPre-Process Rules to SettingsOBJECTS SETUPIncidentsPre-Process Rules.

  • Password Policy has moved from SettingsUSERS AND ROLESPassword Policy to SettingsADVANCEDPassword Policy.

  • Audit Trail has moved from SettingsUSERS AND ROLESAudit Trail to SettingsADVANCEDAudit Trail.

  • Integration Permissions has moved from SettingsUSERS AND ROLESIntegration Permissions to SettingsINTEGRATIONSIntegration Permissions

Role Permissions

Role permissions have been updated for more granular control. You can now do the following:

  • Under Granular data permissions, you can now limit permission to edit layouts for indicators, incidents and Threat Intel Reports without the need to let the user have Admin Read/Write permissions.

  • Under Settings:

    • Integrations: Limit permissions for adding, editing or deleting instances and integrations, pre-process rules, classifying and mapping incidents and indicators.

    • Integration Permissions: Limit permissions in the Integration Permissions page.

    • Users: Changed to User and Roles and added a None permission option.

    • Administration: Limit permissions for server configurations, audit trails and the password policy.

Wrap Labels for Fields

You can now choose to wrap the label text for incident and indicator fields when displayed in a layout. When creating or editing a section of fields, Edit section settings and select Wrap the labels.

Engines Table "last seen" Timestamp

A "last seen" timestamp has been added to the engines table, which represents the last time the engine connected successfully.

Prevent Duplicate File Names

You can now automatically append a timestamp to a file name for each file uploaded to an incident, by adding the following server configuration:

Key: attachment.file.unique.name

Value: True

This prevents the possibility of duplicate file names.