New Features - Release Notes - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Release Notes

Cortex XSOAR
Creation date
Last date published
Release Notes

The following new features are categorized by product component.

Installation file hash: e74cbf2993a2adb529b2cdfe9ecd749e43ee69b676ca8e26ec17f416005c0bb9

Threat Intel Management

Cortex XSOAR 6.5 introduces the following new features.

Unit 42 Intel Service

Cortex XSOAR Threat Intel now includes access to the Unit 42 Intel service, enabling you to identify threats in your network and discover and contextualize trends.

Unit 42 Intel provides data from the following:

  • Palo Alto Networks WildFire (cloud based Malware sandbox)

  • PAN-DB URL Filtering database

  • Palo Alto Networks’ internal Unit 42 threat intelligence team

  • Third-party feeds (including both closed and open-source intelligence)

Unit 42 Intel data is continually updated to include the most recent threat samples analyzed by Palo Alto Networks, enabling you to keep up to date with threat trends and take a proactive approach to securing your network.



Indicator Queries

You can now perform lookups in Unit 42 Intel for IP addresses, URLs, domains, and SHA256 hashes.

Sample Analysis

Unit 42 Intel provides a full report of activities, properties, and behaviors associated with file samples, enabling you to find links between attacks and analyze threat patterns.

Sessions & Submissions

You can now use sessions and submissions data from Palo Alto Networks Firewalls, Wildfire, Cortex XDR, Prisma Saas, and Prisma Access, for investigation and analysis.

Add Unit 42 Intel data to Cortex XSOAR

You can choose to add Unit 42 intel data for specific indicators to your Cortex XSOAR Threat Intel library, and use this data in playbooks and automations.

Threat Intel Reports

Cortex XSOAR 6.5 includes new Threat Intel reporting capabilities. Threat Intel reports summarize and share threat intelligence research conducted within your organization by threat analysts and threat hunters. Threat intelligence reports help you to communicate the current threat landscape to internal and external stakeholders, whether in the form of high-level summary reports for C-level executives, or detailed, tactical reports for the SOC and other security stakeholders.

This feature enables you to do the following:

  • Create Threat Intel reports based on out-of-the-box or customized layouts, while applying rich formatting to the body of the report.

  • Publish a report within Cortex XSOAR to share with other users.

  • Export a report to PDF format.




Marketplace login

In the Marketplace, when trying to login/register with the Customer Support Portal, the sign in message has been improved to include how to fix the site cannot be reached error message.

Filter by content packs that use integrations

You can now filter the Marketplace by Content Packs, which use integrations that you have added instances (whether or not they are enabled).

Filter by content packs that you have installed

You can now filter the list of Content Packs in the Marketplace for packs that you have installed using the Show installed toggle button. This button is disabled by default.

Search for integrations that work with a specific content pack

When viewing a content pack in the Marketplace, you can now click on an integration image icon in the WORKS WITH THE FOLLOWING INTEGRATIONS section to search the Marketplace for that integration.

Case Management




Lists can now be included in a Content Pack and be installed from the Marketplace.

You can also do the following:

  • Upload/download lists

  • In a remote repository, lists can be pushed to a production environment.

  • (Multi-tenant) You can now propagate lists from the Main Account to Tenants.

Elasticsearch Migration - additional flags

When migrating to Elasticsearch, you now have the option to log individual failed items either in a single meta file, or a file per item failure by using the log-failed-items flag.

Enable go to link for script widgets

When creating a custom widget using an automation script, you can now add a script that pivots data in the dashboard and between pages.

setindicator command to 'never expire'

Indicators can now be set to never expire by using the !setIndicators command. For example, !setIndicators expiration="Never"'.

General Mobile improvements

Mobile supports latest markdown improvements.

Remove tags from War Room entries

You can now remove one or more tags from War Room entries by using the resetEntriesTags command.

Labels indicating whether a input/output task is overridden

Playbook task cards now show labels indicating if a task input or output has been overridden.

Incident/Indicator fetch limit

(Hosted development instances only) To prevent workflow overloads that led to system crashes, Cortex XSOAR now limits the number of incidents and indicators that can be fetched within a given time frame. The new limits are:

  • 1000 indicators within a 24 hour period.

  • 1000 incidents within a 24 hour period.

For on-premises customers, these limits are disabled by default, but are configurable through the following server configurations. Whether fetch limits are imposed for indicators. Value: true (default) or false. The maximum number of total indicators that can be fetched. Default is 5,000,000.

Message in War Room for posts hidden by filters

When you add a message in the War Room that is hidden by a filter, a message now appears indicating that you need to clear filters to see the message.

Docker Tags

The following Docker tags have been updated:

  • The default PowerShell Docker image used by integrations/automations, which do not explicitly specify a docker image has been updated to demisto/powershell:

  • The Python base Docker image used by /docker_image_create has been updated to python3-deb:

Allocate account ports by the operating system

(Multi-tenant) When starting a tenant account, new tenants (or tenants that have been moved in High availability) listen on a port assigned by the operating system. This prevents tenants failing to start because they may be trying to start with a used port.

If upgrading, existing tenants keep listening on ports 18501 for backwards capability.


In rare circumstances, it is possible that a dynamically allocated port of a new tenant may occupy a preserved port of an old tenant when it is not running. The old account will not be able to use its port and will fail to run. The workaround is to stop both accounts, start the old tenant first, and then the new (dynamic port) tenant.

Batch tenant requests via host

(Multi-tenant) Requests from the Main Account to tenants are now faster. The Main Account now requests the data from the hosts (and the hosts locally get data from the account).

Where there are several hosts, each request to the host is done in parallel.




Settings Hierarchy

The Settings page has been now reorganized by adding a new OBJECTS SETUP tab, which includes the following:

  • Incidents: Types, Incident Fields, Evidence Fields, Layouts and Classification & Mapping

  • Indicators: Types, Fields, Layouts, and Classification & Mapping

  • Threat Intel Reports: Types, Fields and Layouts

Add None Permission to Roles

When defining or editing a role, you can now revoke read permissions for Settings - Integrations.


Roles that have read permissions to content items, retain partial read access to these categories.

Users can be set as away

Users can now appear active or away. In dropdown lists other users see them as active or away, such as when assigning an owner to an incident. Users can also type setYourselfAs in the command line to set their status.

Assign Marketplace tags to be used as a filter

When viewing details of a Content Pack, you can click a tag that is associated with the Content Pack. The Marketplace search page reappears with that specific tag applied as a filter and only Content packs associated with that tag are shown.

New MTTR widget icon

The MTTR widget has a new icon 6_5_RN_MTTR_icon.png. The icon displays the threshold color instead of using a background color for the entire widget.

Data collection task’s “use first as default” option takes the definition from the fields matching attribute.

Previously, if the field configuration changed, the question and options did not change. Now, for single select field-based questions in the data collection task, the “use first as default” definition is taken from the field’s matching attribute.

Pre-process logs

You can now store separate pre-process logs, by setting the server configuration preprocess.logs.file to true.

Select multiple roles for the setIncident playbook task

You can now select multiple roles for the setIncident playbook task.

Open a global search result in a new tab

You can now open a global search result in a new tab (using the middle mouse button, command click, or right-clickOpen link in new tab).

Added support for ad-hoc sub playbooks

The addTask API now supports adding playbooks in addition to automations and manual tasks.

Added support for deleting generic object instance

You can now delete a generic object instance.

Added communication task authentication for non-Cortex XSOAR users

You can now provide user authentication to non-Cortex XSOAR users so they can access communication task forms that are sent to them.Create Communication Task Authentication

Add minutes to SLA

You can now select hours and minutes when adding/editing an SLA task and creating or editing an SLA field.

Set markdown template for field

When editing a layout and using a Markdown field, you can now see the template assigned to that Markdown field.

Copy values in a Widget

You can now copy the value directly from the relevant widget.

Improved performance

You can now limit the amount of data stored in the parent entry to improve performance.

Launch debugger from locked system playbook

Locked system playbooks can now be opened directly in the debugger, without needing to open an unlocked playbook first.

Remote Repository Improvement

Improved performance when pushing content from the development environment to the remote repository.

Flag for version number

A new flag has been added that provides the Cortex XSOAR version number. /usr/local/demisto/server --version.

New Array Field

When creating or editing an incident field, the multi select field type has been improved to include both multi select and array options. In addition to the standard multi select option of a pre-filled list, you can now also accept a comma separated array.

Key passphrase for custom certificates

When configuring an engine, you can now use a key passphrase for your custom certificate.

Replace conflicting content items on a production environment

(Remote Repositories) When installing content on a production environment, if a conflict arises with the remote repository, you can now resolve it by selecting one of the following:

  • Skip: Keeps the local content in your production environment.

  • Replace: Deletes the local content and installs the content from the remote repository.

Migrate to FIPS

Customers can now migrate from a non-FIPs environment to the FIPS version of Cortex XSOAR

TIM feature message

When attempting to access a feature requiring a TIM license, if a customer does not have a TIM license, a pop up message explains this is a TIM feature and provides a link to learn more about obtaining a license.

Delete report confirmation

A confirmation message is now displayed when you delete a report.

Display message to users before login

You can now configure a message to appear to users on the login page before login to Cortex XSOAR.

Create JSON output of system diagnostics data for support tickets

A new getSystemDiagnostics command allows you to create a JSON output of system diagnostics data. You can attach this output to open support tickets related to system performance to provide Customer Support with relevant information.

Enhanced Markdown capabilities

Markdown capabilities in Cortex XSOAR have been enhanced to include additional editing options:

  • Underline

  • Headings

  • Text alignment

  • Text color / text background color

  • Tables

  • Upload a local image

  • Font size (not exposed in Markdown editor)

Engine logs

The Engine log bundle now also includes Docker information.

Download standby server logs

In a Live Backup environment, downloading system logs from the production server (SettingsABOUTTroubleshootingLogs) now also retrieves the standby server logs, if they exist. In addition, the standby server homepage now includes a button that lets you download the standby server logs.

The network.log provides information on newer Linux systems.

The network.log now provides information on newer Linux systems as well as on older ones. In previous Cortex XSOAR versions the network.log was empty for the newer Linux systems.

Refresh the number of licenses in use on demand

A user with administrator privileges can manually refresh the number of users in use. This enables you to retrieve immediate feedback on licensing when disabling accounts, removing users, or when provisioning new users. When the number of users exceeds the number of licenses, and you want to clear the alert:

  1. From the Users and Roles page, delete users.

  2. From the License tab, in the About section, click Refresh ‘Users in Use.’

Date time formats

Additional date time formats are now supported.

Email notification when worker count is full

When the worker count for the Cortex XSOAR server is full, the system will now send an email notification instructing you to increase the value of the workers.count.Tasks server configuration.

File Indicator - Tooltips

In the Threat Intel page, when selecting a File Indicator, a tooltip has been added while hovering over the Malicious samples, Suspicious samples, and Unknown samples columns in the WildFire Dynamic table.

Improved multi-tenant synchronization

(Multi-tenant) Improved synchronization between tenants and hosts in the event of tenant downtime. Roles, users, API keys and tenant secrets are synced into tenant accounts by their hosts. Upon host registration (done periodically), the tenant account manager sends the host the relevant data for its accounts. If any of the tenant accounts are out of sync (e.g. tenant was down while a role was updated), the host syncs that account.

Account Filtering

(Multi-tenant) In the Main Account, you can select which tenant account’s dashboard, incidents, and indicators (Threat Intel page) to view and take action as necessary without having to switch accounts. This enables you to view information quickly and more efficiently.

Multi-tenant time synchronization

(Multi-tenant) The system now checks whether the local time is synced between the Main Account and the hosts. If not, a warning is displayed in SettingsAccount ManagementAccounts/Hosts.

Multi-tenant sync error messages

(Multi-tenant) When a sync error occurs, an informative error message is displayed.