Cortex XSOAR 8.11 - New features are available in Cortex XSOAR 8.11 On-prem, including release highlights and feature enhancements. - Release Notes - 8.13 - Cortex XSOAR - Cortex - Security Operations

Advanced search for playbooks and scripts

Easily find and use existing scripts and playbooks by searching for specific text within scripts or by searching the names of scripts, tasks, and third-party integrations within playbooks. For more information, see Use or customize an existing playbook and Use existing scripts.Task 1. Choose from existing playbooks or create your ownUse existing scripts

Clear incidents waiting in the ingestion queue

Regain control during incident floods and ensure critical playbooks run smoothly, preventing bottlenecks and facilitating rapid self-recovery. For more information, see Fetch incidents from an integration instance,Fetch incidents from an integration instance

Generic Webhook integration enhancements

Easily ingest external data without an API integration and connect with diverse services with support for header-based authentication and a simplified setup experience. For more information, see the Generic Webhook integration documentation.

Terminate incident export

You can now manually terminate an ongoing scheduled or on-demand incident export, which provides users with greater control over their data management workflows. For more information, see Schedule incident export and delete.Schedule incident export and delete

GCOW2 on KVM deployment

Cortex XSOAR now supports deployment on a KVM (Kernel-based Virtual Machine) hypervisor. For more information, see Install Cortex XSOAR on a VM deployed on KVM.Install Cortex XSOAR on a VM deployed on KVM

Proxy authentication for deployments

You can now configure the proxy username and password directly in the textual UI (TUI), ensuring seamless operation in environments that require proxy authentication. This allows all outbound HTTP and HTTPS requests to function correctly through your authenticated proxy server. You can choose the HTTP or HTTPS protocol for the proxy. For more information, see Configure proxy settings (Task 5) for your relevant deployment.Cortex XSOAR Installation

Kube CIS benchmark test fixes

The security posture has been enhanced by addressing controls flagged during CIS Kubernetes benchmarking, thereby fixing vulnerabilities in critical components, including kube-apiserver, kube-controller-manager, and kube-scheduler, to improve adherence to industry-standard best practices.

Package and cipher updates

System security is now improved by eliminating weak ciphers (such as 3DES) and updating underlying Debian packages to resolve recent CVEs

Network Security Enhancements

Narrowed down the list of ports that should be opened on the VM. For more information, see Port requirements for cluster communication.Port requirements for cluster communication

Threat Intelligence

Functionality on the the following pages and tabs has been deprecated: Sample Analysis, Sessions & Submissions, Unit 42 Intel. In addition, indicator search in the legacy Unit 42 library has been deprecated.

Unit 42 Threat Intelligence content pack

A new Unit 42 content pack provides high-value integrations that leverage Unit 42’s world-class threat intelligence, research, and analysis, replacing several deprecated packs (like AutoFocus and Unit 42 ATOMs Feed). To complete this migration, configure the new Unit 42 Feed and Enrichment integrations, update all related playbooks, and disable the old integrations.

New

CVE-2025-49704 and

CVE-2025-49706 and

CVE-2025-53770 and

CVE-2025-53771 - Microsoft SharePoint ToolShell vulnerability chain playbook

Automates the investigation and response to potential exploitation of four chained vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771) in Microsoft SharePoint. This chain can allow unauthenticated threat actors to run arbitrary commands and gain remote execution capabilities.

New