Minor Releases - Release Notes - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Release Notes

Cortex XSOAR
Creation date
Last date published
Release Notes

Cortex XSOAR 6.5 minor releases, maintenance releases.

Cortex XSOAR Minor Release

Release Date

Cortex XSOAR 6.5.0 (B2583817)

March 15, 2022

Cortex XSOAR 6.5.0 (B2410815)

February 21, 2022

Cortex XSOAR 6.5.0 (B2102531)

December 20, 2021

Cortex XSOAR 6.5.0 (B2583817)

Cortex XSOAR 6.5.0 (B2583817) is a maintenance release that delivers the following bug fixes:

  • If a verdict changed, extracted indicators were tagged with the wrong color.

  • When using the OpenLDAP integration, Active Directory groups were not shown under Active Directory role mapping in Users & Roles.

  • When run on an engine, the Remote Access integration could not copy artifact files.

  • (Threat Intel Management) When searching for data in the Sample Analysis page, after the request completed, if there was a 502/505 error code, the following error was returned:

    TypeError: Cannot read properties of null (reading 'then')

  • (Elasticsearch) After using the debugger on a playbook with data from a specific incident or the Playground, the debugger did not work correctly if you tried to debug the same playbook using data from incidents stored in other partitions.

  • (High availability) When clicking the Work Plan from an incident, which was accessed through a load balancer, the page sent the users back to the previous tab they were on.

  • (High availability) In some cases, in a high availability environment, reminders were not cleared and caused high CPU usage and duplicate job and reports executions.

  • (Multi-tenant) When scheduled reports were run on the Main Account, in some cases, the wrong results were returned.

Installation file hash: 7475b2d41aaa83fbc077918983210998bbde4c752249e4a0cc2611fd28d946c6

Cortex XSOAR 6.5.0 (B2410815)

Cortex XSOAR 6.5.0 (B2410815) is a maintenance release that delivers bug fixes and includes breaking changes:

Breaking Changes

The following details the changes that break backward compatibility upon upgrade to Cortex XSOAR v6.5.0 (B2410815).

  • When using Cortex XSOAR with Elasticsearch to limit memory consumption, by default, indexing for HTML and markdown fields is now disabled, so that these fields are not searchable. If you want to search for these fields, add the following server configurations:

    • server.large.markdown.unsearchable: Set to false to make markdown fields searchable in the UI. Default is true.

    • server.large.html.unsearchable: Set to false to make HTML fields searchable in the UI. Default is true.


    Marking the fields as searchable only takes effect in the next month. For example, if you make a change on February 10, the change takes effect on March 1.

  • For both Bolt DB and Elasticsearch, by default, indexing of HTML, markdown, and long text fields is limited to the first 30,000 characters. If large fields are detected, only the first 30,000 characters are searchable. You can change this by adding the server.text.max.characters server configuration and adding the number of characters as required.


    Increasing the number of characters can decrease performance. Reducing the number of characters limits disk space consumption and increases performance.

Cortex XSOAR 6.5.0 (B2410815) delivers the following bug fixes:

  • When running a script based on an SLA Breach, the script was triggered even when the SLA was paused in the incident.

  • When editing conditional tasks and using a transformer, you could not edit and save the task without re-selecting the transformer.

  • A bug in the external incidents creation rate limit caused Elasticsearch to return errors for high loads of external incidents.

  • When you created or edited a data collection task and deselected Email in the Ask by Email option, the change was not saved when the playbook was saved.

  • When upgrading from 6.1 to 6.5, the Unit 42 Intel tab was shown on the indicator summary view, to customers without a TIM license.

  • After upgrading to 6.5 the UI became slow due to a reminder queue leak which caused high CPU usage on old scheduled tasks.

  • When filtering incidents by roles and using populateFields, not all relevant incidents were returned.

  • After closing an incident, the incident stayed selected, so when closing the next incident, it modified both.

  • (High availability) When attempting to add a note to a running playbook task, in some cases the request was not sent to the app server that originally triggered the playbook. As a result, an error message was displayed and the note was not added.

  • (Multi-tenant) When syncing content to the tenant, content items such as integrations/automations, which had a role that was not defined on the tenant showed as modified, even though sync was successful.

  • (Multi-tenant) In some cases, when attempting to change a host for a tenant, an error was displayed and the host was not changed.

Installation file hash: 8f6734abfc33a3864445d0c8b9e306c4d4a3478042accde947340655d5094c0c

Cortex XSOAR 6.5.0 (B2102531)

Cortex XSOAR 6.5.0 (B2102531) is a maintenance release that delivers bug fixes and provides several usability enhancements.

New Features

Fixed Issues

  • Auto-complete did not show custom field options.

  • When creating a script button, the context button was not available for script arguments.

  • When using a remote repository, lists originating on the development environment could be edited in the production environment.

  • When creating a new Threat Intel Report, the automations browser button did not appear in the CLI and the browser tab did not show the name of the report.

  • For new Threat Intel Reports, some added indicators did not show up in the relationship table query.

  • When upgrading from v6.2 (build number 1883722), the server failed to start.

  • When changing the Date Range in a dashboard, widgets that were configured to use the dashboard’s date range were not updated.

  • New line characters did not work in playbook task labels (for support in Japanese).

  • When exporting a custom layout JSON file larger than 32KB, some entries were truncated.

  • In certain circumstances, after reverting back to the production server after a failover, new incidents were ingested on top of old ones, overriding their IDs.

  • When viewing an automation in preview mode, it was not possible to change the Run on field, without detaching the automation

Installation file hash: eaed5c5c0db39a7a1742cf5419c2e424496188162e666c855b98e473ea1cc596