Known Issues - Release Notes - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Release Notes

Cortex XSOAR
Creation date
Last date published
Release Notes

The following table describes the known issues for Cortex XSOAR v6.9.

Issue #




Mentions widget not working

In the War Room, when using the @ to notify a user (such as @admin), although the user is added to the incident, there is no record of the notification in the Mentions widget in the user's dashboard (My dashboard).


Upgrade Common Types Content Pack

After upgrading to version 6.9 from a version earlier than 6.2, in the Marketplace, you need to reinstall or update the Common Types Content Pack to receive the latest indicator types and to create indicator relationships.


Widgets on the Main Account displaying incorrect data

(Multi-tenant) When viewing widget data on the Main Account, in some cases the results returned may not be complete. If different tenants have different top incident type groups, for example, the aggregated data in the main account can be inaccurate. For example, Tenant A has 20 DoS incidents and 15 Authentication incidents. Tenant B has 10 Authentication incidents and 10 DoS incidents. The top result shown in the main account is DoS:20, even though there are 21 DoS incidents in the system and 25 Authentication incidents. When configuring widgets on the main account, setting higher limit values will improve accuracy.


Tenant status does not appear correctly in the Main account

( Multi-tenant) In the Main accountACCOUNT MANAGEMENTAccount tab, occasionally, some tenants accounts are shown with down status, even though they are running and accessible from the host. This may occur when the host fails to register on the main server and the host has different IDs on the Main server database and the host database.

In the Main Server logs, you may see an error similar to this:

2021-06-18 02:32:47.0314 error Failed to register host [error 'Address ... some host address ... is already listed for incoming id 4, saved id 3 (8924)'] (source: /builds/gopath/src/ 2021-06-18 02:33:23.0978 warning Failed updating HA group id on host ... some host address ... [error 'Address ... some host address ... is already listed for incoming id 4, saved id 3 (8924)'] (source: /builds/gopath/src/

If you encounter this problem, contact Customer Support.


SAML Log in issue

(Multi-tenant) When trying to log in directly to the tenant via SAML, login can fail and the following error is issued:

error Cannot decrypt private key for saml [error 'Encryption error (10)']

If you encounter this issue, in the Main Account sync the SAML integration to the tenant account.


Tenant marked notActive

(Multi-tenant) In some cases, in a multi-tenant deployment, a tenant account can be marked as notActive after an upgrade, and can no longer be accessed. If this occurs, contact Cortex XSOAR support for assistance in changing the notActive property in the database.


Indicator Expiration

Even when indicators expire, they may still appear and be searchable in Cortex XSOAR. If an indicator is scheduled to expire, the status does not change to expired until a weekly job runs and updates the Expiration Status field. If you need the job to run at a different frequency, contact Cortex XSOAR support.


If you manually expire an indicator, the Expiration Status field is changed immediately.