Cortex XSOAR known issues.
The following table describes the known issues for Cortex XSOAR.
Issue # | Issue | Description |
|---|---|---|
42367 | Mentions widget not working | In the War Room, when using the |
37537 | Upgrade Common Types Content Pack | In Marketplace, after upgrading from a version earlier than 6.2, you need to reinstall or update the Common Types content pack to receive the latest indicator types and to create indicator relationships. |
36500 | Widgets on the Main Account displaying incorrect data | (Multi-tenant) When viewing widget data on the main account, sometimes the results returned may not be complete. If tenants have different top incident type groups, the aggregated data in the main account can be inaccurate. For example, Tenant A has 20 DoS incidents and 15 Authentication incidents. Tenant B has 10 DoS incidents and 10 Authentication incidents. The top result shown in the main account is DoS:20, even though there are 30 DoS incidents in the system and 25 Authentication incidents. When configuring widgets on the main account, setting higher limit values will improve accuracy. |
38474 | Tenant status does not appear correctly in the Main account | (Multi-tenant) In the → → tab, occasionally, some tenants' accounts are shown with a down status, even though they are running and accessible from the host. This may occur when the host fails to register on the main server, and the host has different IDs on the main server database and the host database. In the main server logs, you may see an error similar to this:
If you encounter this problem, contact Customer Support. |
44524 | SAML log-in issue | (Multi-tenant) When trying to log in directly to the tenant via SAML, login can fail and the following error is issued:
If you encounter this issue in the main account, sync the SAML integration to the tenant account. |
47141 | Tenant marked notActive | (Multi-tenant) Sometimes, after an upgrade, a tenant account can be marked as |
XSUP-46416 | Playbook tasks running the deleteContext.js script | When running a sub-playbook that contains a task that runs the |
XSUP-54035 | System restart due to high memory usage | In rare cases, when using BoltDB, an indexing failure on a monthly partition database can cause high memory usage, resulting in a system restart. If this happens repeatedly, we recommend reindexing the partition. If the issue still recurs, we recommend considering a migration to Elasticsearch or Cortex XSOAR 8 SaaS. |
XSUP-46848 | Time-zone issues in Docker Containers | By default, the time zone for Docker containers is set to UTC. Users in other regions that use APAC (such as South Korea, Japan, and Australia) may experience time-related discrepancies. Searches for incidents in a month may overlap between 8 and 11 hours from the previous month, resulting in time-zone discrepancies. In addition, when an indicator is created during a specific time gap, for example, APAC hours GMT+8, such as on Jan 2, 2025, at 12:00-08:00, the time-series widget will show it as created on the previous date, Jan 1, 2025. |
XSUP-45051 | Script Execution Time Limit | Script execution time on engines is limited to 300 seconds (5 minutes). We strongly recommend utilizing short-running scripts to ensure optimal performance. |
XSUP-56724 | Incomplete incident search results | When searching for incidents based on indicator values, if there are over 10,000 indicators that match the indicator part of the query, the incident results may be incomplete. |