Comparison between Cortex XSOAR 6 and Cortex XSOAR 8 - Compare features between Cortex XSOAR 6 and 8. - 8 - Cortex XSOAR - Cortex - Security Operations

Access Management

Adding users

Users are defined and managed from the Cortex Gateway and are shared by all Cortex products.

For more information about the changes, see New Features for Users and Roles in Cortex XSOAR 8

Changed

SaaS

Role Management

A single role can be assigned directly to a user. Additional permissions can be granted as part of a User Group assignment.

Changed

Both

Users' permissions are no longer available.

Removed

SaaS

In a multi-tenant environment, roles are not propagated from the main account to child tenants. For SaaS, roles can be propagated from Cortex Gateway to all tenants.

Changed

Both

Single sign-on

Now under Settings & Info → Settings → Access Management → Authentication Settings.

Moved

Both

Self-Service Read-only users

Self Service Read only users are not supported.Self-Service Read-Only Users

Removed

Both

Admin

Preferences

Easier theme switching: Change themes (Cohesive light/dark) by selecting the icon next to Settings & Info.

Changed

Both

Authentication

Multiple SSO

Now under Settings & Info → Settings → Access Management → Authentication Settings.

Changed

Both

LDAP and AD-based authentication

Available in Cortex XSOAR 6. Currently not available in Cortex XSOAR 8.

Removed

Both

Data Retention

N/a

Data retention is 180 days and can be extended through an SKU retention.

Changed

SaaS

Docker

Docker images and commands

Docker commands that derive from a script can be used for an engine, such as:

All other Docker commands do not work in Cortex XSOAR 8.

Removed/Changed

Both

Private image registry

N/a

In Cortex XSOAR 8 SaaS, you can pull images from a private image registry. For more information, see Pull images from a private registry.

Removed/Changed

Both

Communication tasks through an engine

N/a

Removed from Cortex XSOAR 8.

Removed

Both

Incidents

Incident investigation

The Related Incidents tab was removed from Cortex XSOAR 8.

Removed

Both

The Summary tab was removed from Cortex XSOAR 8.

Removed

Both

When generating a report from an incident, you can only select the PDF format (Word is not supported).

Removed

Both

In an investigation, images from external links do not appear, as they are restricted due to security issues. To use an image, either upload the image using base64 or upload it using markdown in the War Room.

Changed

Both

Incident data

The created and occurred field values no longer include nanoseconds.

Removed

Both

War Room

Some War Room filters have been removed.

Limited

Both

Look & feel

N/a

Cortex XSOAR's look and feel align with other Cortex products, such as Cortex XDR, XSIAM, and XPANSE.

Changed

Both

Lists

Placeholders

In Cortex XSOAR 8, lists that contain placeholders (variables) such as ${incident.id} are not parsed when referenced in a playbook. Variables are parsed when the code is first read. If you put a variable inside a list, the system won't update or process it again once the list is loaded. Instead, the system treats the retrieved list content as static text and does not perform a secondary parsing step to resolve any placeholders contained within it.

To ensure variables (such as ${incident.id}) are resolved correctly in Cortex XSOAR 8, enter the content directly into the playbook task field rather than referencing it from a stored list.

Changed

Both

Mail Sender

N/a

Provided by default using the SMTP server on the tenant.

Changed

SaaS

Marketplace

Upload content packs

In Marketplace, unsigned content packs are not supported when selecting Upload Content Packs. If you want to upload unsigned content packs, do one of the following:

Changed

Both

Settings (Integrations)

Integrations

Now under Settings & Info → Settings → Integrations.

Unless otherwise specified, the same features as Cortex XSOAR 6.

Moved

Both

Integration logs

You can now access integration logs by going to Settings & Info → Settings → Integrations → Integration Log.

Moved

Both

External dynamic List

You can configure an External Dynamic List to share a list of indicators with other products in your network, such as a firewall or SIEM.

For more information, see Export indicators using the Generic Export Indicators integration.

Added

Both

Syslog server

You can send audit notifications to your Syslog server.

For more information, see Configure log and notification forwarding.

For more information about how to create a syslog server for Cortex XSOAR 8 Saas, see Syslog server management. For Cortex XSOAR 8 On-prem, see Manage syslog servers.

Changed

Both

API keys

Now under Settings & Info → Settings → Integrations.

In Cortex XSOAR 8, API keys are not bound to users and can have their own RBAC settings.

The API structure was changed. For more information, see Cortex XSOAR 8 API Changes.

The set of API calls available in Cortex XSOAR 6 and Cortex XSOAR 8 are different. The endpoints supported in Cortex XSOAR 8 can be found in the API documentation.

Moved/changed

Both

Settings (Advanced)

Audit Trail

Now under Settings & Info → Settings → System → Audit Notifications.

Moved

Both

Backups

For SaaS, backups are not managed as part of a Cortex XSOAR tenant, but handled by Palo Alto Networks. The Cortex XSOAR 8 tenant's data has full regional redundancy and relies on our cloud provider's controls to keep the data available. Cortex teams are frequently backing up all configuration data, and the restore process is tested regularly.

Changed

SaaS

For On-prem, you can back up and recover data such as incidents, playbooks, integrations, users, configurations, and settings. For more information, see Back up and restore Cortex XSOAR.

Changed

On-prem

Content Repository

When setting up a remote repository, you can select an in-built or private repository. Cortex XSOAR supports both single and multiple git branches.

Changed

Both

Exclusion List

Now under Settings & Info → Settings → Objects Setup → Indicators.

For more information, see.Export indicators using the Generic Export Indicators integration.

Moved

Both

ML Models

ML Models were removed from Cortex XSOAR 8.

Cortex XSOAR 6 customers with at least one model will have the module added. New customers for Cortex XSOAR 8 won’t have that page.

Removed

Both

Password Policy

The password policy was removed from Cortex XSOAR 8 SaaS.

Removed

SaaS

App Servers

App Servers were removed from Cortex XSOAR 8.

Removed

Both

Settings (About)

Version

Now under My Profile menu → About.

Moved

Both

License

Go to Settings & Info → Settings → Cortex XSOAR license.

Moved

Both

Troubleshooting Page

Now under Settings & Info → Settings → System → Server Settings.

The login message, logo, and import and export content remain the same.

Removed

Both

Troubleshooting → Logs

Logs (including log level and download).

Removed

SaaS

Downloading a log bundle is done from the System Diagnostics page.

Changed

On-prem

Troubleshooting → Server Configurations

Server Configurations: Select from a dropdown list. Some server configurations have been removed.

Limited

Both

Troubleshooting → Time Configuration

Timezone and format can be set from user preferences.

Changed

Both

Troubleshooting → Telemetry

Telemetry settings are removed from Cortex XSOAR 8.

Removed

Both

System Diagnostics

For SaaS, you can view service limit errors and warnings on the Guard Rails page. For more information, see Guard Rails.

For On-prem, you can use the System Diagnostics page and Guard Rails to monitor and fix any issues. For more information, see Troubleshoot.

Changed

Both

Settings (USERS AND ROLES)

Users

There is no Default Admin in Cortex XSOAR 8. Some permissions granted to Default Admins in Cortex XSOAR 6 are now granted only to users with Instance Administrator or Account Admin roles. This includes access to:

Changed

Both

Threat Intel

N/a

Manually share indicators between tenants in a multi-tenant deployment.

Removed

Both

Proxy

N/a

Proxy supports authentication from Cortex XSOAR 8.11 On-prem and later.

Changed

On-prem

High Availability

N/a

If you deploy a cluster of three nodes and set the Cortex XSOAR IP address access to either a virtual IP or the reverse proxy/ingress controller IP, Cortex XSOAR On-prem implements built-in high availability. For more information, see High Availability for Cortex XSOAR.

Changed

On-prem

Live Backup

N/a

This is available in Cortex XSOAR 6.

It is not supported in Cortex XSOAR 8 On-prem.

Removed

On-prem

Disaster Recovery

N/a

This is available in Cortex XSOAR 6.

In Cortex XSOAR 8 On-prem, when you deploy a cluster, you can deploy a second cluster in a secondary data center to enable disaster recovery functionality using backup and restore operations. For more information, see High Availability for Cortex XSOAR.

Changed

On-prem

MT/MSSP

N/a

In Cortex XSOAR 8 SaaS, create and manage parent and child tenants in Cortex Gateway.

In Cortex XSOAR 8 On-prem, download the installation package from Cortex Gateway, install, and pair child tenants on the main tenant.

Changed

Both

Air-gapped installation

N/a

Removed

On-prem

Expanding Database Volumes

N/a

In Cortex XSOAR 6, you can directly expand database volumes.

In Cortex XSOAR 8 On-prem, you need a support session with support or engineering to expand database volumes.

Changed

On-prem

Vulnerability Fixes

N/a

In Cortex XSOAR 6, you can directly fix vulnerabilities.

In Cortex XSOAR 8 On-prem, vulnerabilities are fixed as part of the releases.

Changed

On-prem

Root Access to the Machine

N/a

In Cortex XSOAR 6, you can execute commands with root privileges since you own the infrastructure.

In Cortex XSOAR 8 On-prem, you need a support session with support or engineering to execute commands with root privileges.

Changed

On-prem