Addressed Issues - Release Notes - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Release Notes
Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-05
Last date published
2023-06-08
End_of_Life
EoL
Category
Release Notes

These issues are fixed in the Cortex XSOAR v6.6 release.

  • After working with a remote repository for an extended period of time, the push changes operation sometimes failed due to a timeout and in some cases it was not possible to push new changes. The timeout was caused due to the use of the git notes mechanism for storing metadata. To prevent timeouts, the metadata is now read directly from the content files.

  • (Migration) If data was migrated to Elasticsearch out of chronological order, duplicate incident IDs were created.

  • (Migration) In some cases, when migrating from BoltDB to Elasticsearch, the execution metrics partition was not fully migrated.

  • In Elasticsearch, if a indicator URL length was greater than 512 bytes, a validation error occurred on caching objects.

  • In some cases, when creating a new indicator type, searching for an indicator sample failed.

  • Unexpected panic reports were generated during searches.

  • When searching in header search and on the integrations page, there was a delay before search results were returned.

  • When a script name changed, the new script name did not always show in the auto-complete and could not be used in playbooks.

  • When editing conditional tasks and using a transformer, you could not edit and save the task without reselecting the transformer.

  • After syncing content, automation content continuously show up for sync because of an issue with the Run As field. Run As will not be synced anymore and you can now edit the field on the tenant.

  • When using saved queries with relative date ranges, the number of items displayed in the table did not match that of the widget.

  • After adding tags to the Incident Tags field in a production environment, and then pushing layout changes that include this field from the development environment (but without selecting any dependencies), the tags were deleted on production.

  • When the total file size of classifiers was too large, the Classification & Mapping tab showed no content, due to a classifier limitation issue.

  • When updating the Active Directory Authentication mapping to a role, roles were removed and users were unable to access Cortex XSOAR.

  • In some cases, Active Directory authentication failed when credentials were not updated from the vault.

  • When using the OpenLDAP integration, Active Directory groups were not shown under Active Directory role mapping in Users & Roles.

  • When using the Slack V3 integration, and the minimum incident severity was set to Unknown, duplicate case closure notifications were sent to the specified channel according to the number of people who worked on the case.

  • After changing the name of a custom automation, both the original automation name and the new automation name remained available to run in the UI, until the service was restarted.

  • In the Automation page, when selecting the getIncidents automation in the Script Helper, the system argument did not show that it was deprecated.

  • When trying to run the investigate command from the CLI, an error occurred and the investigation was not opened.

  • After changing the display name of security incidents (to cases, events, alerts, etc.), the system commands associateIndicatorsToIncident and UnassociateIndicatorsToIncident did not work.

  • In some cases, when an incident was created without an owner and then the owner was later set, if the change in the owner field triggered a script, playbooks did not run and the incident could not be modified or closed.

  • When trying to create a new indicator that was on the Exclusion list, the command returned Done, even though the indicator was not created.

  • When running the createNewIndicator command on an indicator that was created in a feed but not extracted in an old bolt partition, duplicates were created.

  • When viewing a dashboard that contained a widget with a filter, adding an additional dashboard filter with an OR argument caused inconsistent results.

  • In some cases, when validating a content item, an error was displayed.

  • When logging in again after a session expiration, the login modal did not hide the background page.

  • If a customer previously had a Threat Intel Management license, when they installed their new license (without a Threat Intel Management license), it caused a License expired error to occur.

  • After configuring a sub-playbook's inputs, the change affected an investigation's playbooks in the Work Plan.

  • When a playbook ran that had tasks running sub-playbooks in a loop, the playbook proceeded to subsequent tasks even if the loop had not completed.

  • When a data collection task was set to Quiet Mode and also set to Mark results as evidence, the task failed and the error Cannot create evidence - entry ID is empty (52) was generated.

  • In a hosted service deployment, server configurations could not be edited via the UI on a development machine.

  • If a key containing brackets [] was added to the context data, it could not be deleted.

  • When installing Cortex XSOAR, the post install script contained a bash function while running a shell script.

  • (Multi-tenant) After upgrading to Cortex XSOAR v6.5, any pre-existing custom roles created on the Main Account were locked, not only on tenant accounts, but also on the Main Account.

  • (Multi-tenant) In High Availability deployments, hosts within the same High Availability group were communicating over tenants' private IP addresses instead of using host or the account name.

  • (Multi-tenant) Manual tags caused incident fields to get stuck in the sync modal between tenant and main accounts.