The following table describes the known issues for Cortex XSOAR v6.9.
Mentions widget not working
In the War Room, when using the
Upgrade Common Types Content Pack
After upgrading to version 6.9 from a version earlier than 6.2, in the Marketplace, you need to reinstall or update the Common Types Content Pack to receive the latest indicator types and to create indicator relationships.
Widgets on the Main Account displaying incorrect data
(Multi-tenant) When viewing widget data on the Main Account, in some cases the results returned may not be complete. If different tenants have different top incident type groups, for example, the aggregated data in the main account can be inaccurate. For example, Tenant A has 20 DoS incidents and 15 Authentication incidents. Tenant B has 10 Authentication incidents and 10 DoS incidents. The top result shown in the main account is DoS:20, even though there are 21 DoS incidents in the system and 25 Authentication incidents. When configuring widgets on the main account, setting higher limit values will improve accuracy.
Tenant status does not appear correctly in the Main account
( Multi-tenant) In the → → tab, occasionally, some tenants accounts are shown with down status, even though they are running and accessible from the host. This may occur when the host fails to register on the main server and the host has different IDs on the Main server database and the host database.
In the Main Server logs, you may see an error similar to this:
If you encounter this problem, contact Customer Support.
Pre-Process Rules using system-based automations
Pre-Process rules that use system-based automations such as
Different results for value queries
In the Threat Intel page, different values appear when entering
SAML Log in issue
(Multi-tenant) When trying to log in directly to the tenant via SAML, login can fail and the following error is issued:
If you encounter this issue, in the Main Account sync the SAML integration to the tenant account.
Tenant marked notActive
(Multi-tenant) In some cases, in a multi-tenant deployment, a tenant account can be marked as notActive after an upgrade, and can no longer be accessed. If this occurs, contact Cortex XSOAR support for assistance in changing the notActive property in the database.
Even when indicators expire, they may still appear and be searchable in Cortex XSOAR. If an indicator is scheduled to expire, the status does not change to expired until a weekly job runs and updates the
If you manually expire an indicator, the