Comparison between Cortex XSOAR 6 and Cortex XSOAR 8 - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR 8 Feature Changes

Product
Cortex XSOAR
Version
8
Creation date
2023-02-20
Last date published
2024-11-11
Abstract

Compare features between Cortex XSOAR 6 and 8.

Cortex XSOAR 8 delivers the same leading SOC security and operations solution as Cortex XSOAR 6, with a different architecture that is more robust. The following table describes the main changes in Cortex XSOAR 8.

Note

This comparison is between Cortex XSOAR 8 and the latest Cortex XSOAR 6x version.

Feature

Section

Description

Change Type

Cloud/On-prem

Access Management

Adding users

Users are defined and managed from the Cortex Gateway and are shared by all Cortex products.

For more information about the changes, see New Features for Users and Roles in Cortex XSOAR 8

Changed

Cloud

Role Management

A single role can be assigned directly to a user. Additional permissions can be granted as part of a User Group assignment.

Changed

Both

Role Management

Users' permissions are no longer available.

Removed

Cloud

Role Management

In a multi-tenant environment, roles are not propagated from the main account to child tenants. Roles can be propagated from the Cortex Gateway to all tenants.

Note

Cortex XSOAR On-prem does not yet support Multi-tenant.

Changed

Both

Single sign-on

Now under Settings & InfoSettingsAccess ManagementAuthentication Settings.

Moved

Both

Self Service Read-only users

Self Service Read only users are not supported.Self-Service Read-Only Users

Removed

Both

Admin

Preferences

Easier theme switching: Change themes (Cohesive light/dark) by selecting the icon next to Settings & Info.

Changed

Both

Authentication

Multiple SSO

Now under Settings & InfoSettingsAccess ManagementAuthentication Settings.

Changed

Both

LDAP authentication

Removed

Both

Data Retention

N/a

Data retention is 180 days and can be extended through SKU retention.

Changed

Cloud

Docker

Docker images and commands

Docker commands that derive from a script can be used for an engine, such as:

  • DockerHardeningCheck

  • CheckDockerImageAvailable

  • GetDockerImageLatestTag

  • ListUsedDockerImages

  • RunDockerCommand

  • ServerLogs_docker

All other Docker commands do not work in Cortex XSOAR 8.

Removed/Changed

Both

Incidents

Incident investigation

Canvas was removed from Cortex XSOAR 8 On-prem.

Removed

On-prem

The Related Incidents tab was removed from Cortex XSOAR 8.

Removed

Both

The Summary tab was removed from Cortex XSOAR 8.

Removed

Both

When generating a report from an incident, you can only select PDF format (Word is not supported).

Removed

Both

In an investigation, images from external links will not appear, as they are restricted due to security issues. To use an image, either upload the image using base64 or upload it using markdown in the War Room.

Changed

Both

War Room

Some War Room filters have been removed.

Limited

Both

Look & feel

N/a

Cortex XSOAR's look and feel align with other Cortex products, such as XDR, XSIAM, and XPANSE.

Changed

Both

Multi-tenant

N/a

Now managed from the Cortex Gateway

Note

Cortex XSOAR On-prem does not yet support Multi-tenant.

Changed

Cloud

Mail Sender

N/a

Provided by default using the SMTP server on the tenant.

Changed

Cloud

Marketplace

Upload content packs

In Marketplace, unsigned content packs are not supported when selecting Upload Content Packs. If you want to upload unsigned content packs, do one of the following:

  • Use the demisto.sdk

  • Upload the zip file to the War Room and install the content pack using the ContentPackInstaller command

Changed

Both

Settings (Integrations)

Integrations

Now under Settings & InfoSettingsIntegrations.

Unless otherwise specified, the same features as XSOAR 6

Moved

Both

Integration logs

You can now access integration logs by going to Settings & InfoSettingsIntegrationsIntegration Log.

Moved

Both

Agent tools

Agent Tools was removed from Cortex XSOAR 8.

Removed

Both

External dynamic List

You can configure an External Dynamic List to share a list of Cortex XSOAR indicators with other products in your network, such as a firewall or SIEM.

For more information, see Export indicators using the Generic Export Indicators integration.

Added

Both

Syslog server

You can send audit notifications to your Syslog server.

For more information, see Configure management audit notification forwardingConfigure management audit notification forwarding

Changed

Both

Syslog

  • Format: Syslog format RFC 5424 is the only format supported.

  • Protocol: Unix protocol is no longer supported

  • Structure: The syslog structure was changed.

  • Dropped support for Tag. The facility is set by default to FAC_USER

  • In Cortex XSOAR 8 Cloud, you can manage Syslog servers. For more information, see Syslog Server management. In Cortex XSOAR 8 On-prem this will be added in H2-2025.Syslog Server management

Changed

Both

API keys

Now under Settings & InfoSettingsIntegrations.

In Cortex XSOAR 8, API keys are not bound to users and can have their own RBAC settings.

Generating API Keys is also available in Cortex XSOAR 6

Moved/changed

Both

API functions

The set of API calls available in Cortex XSOAR 6 and Cortex XSOAR 8 are different. The endpoints supported in Cortex XSOAR 8 can be found in the API documentation.

To report missing API functionality, contact customer support

Limited

Both

API structure

The API Structure was changed.

For more information, see Cortex XSOAR 8 API Changes

Changed

Both

Settings (Advanced)

Audit Trail

Now under Settings & InfoSettingsSystemAudit Notifications.

Moved

Both

Backups

Backups are not managed as part of a Cortex XSOAR tenant.

Removed

Both

Backup Management

Handled by Palo Alto Networks. The Cortex XSOAR 8 tenant's data has full regional redundancy and relies on our cloud provider's controls to keep the data available. Cortex teams are frequently backing up all configuration data and the restore process is tested regularly.

Changed

Cloud

Content Repository

When setting up a remote repository you can select an in-built or private repository. Cortex XSOAR supports both single and multiple git branches.

Note

Cortex XSOAR On-prem supports a private repository only.

Changed

Both

Exclusion List

Now under Settings & InfoSettingsObjects SetupIndicators.

For more information, see Export indicators using the Generic Export Indicators integration.

Moved

Both

ML Models

ML Models were removed from Cortex XSOAR 8.

Cortex XSOAR 6 customers with at least one model will have the module added. New customers for Cortex XSOAR 8 won’t have that page.

Removed

Both

Password Policy

Password policy was removed from Cortex XSOAR 8 Cloud.

Removed

Cloud

App Servers

App Servers were removed from Cortex XSOAR 8.

Removed

Both

Settings (About)

Version

Now under My Profile menuAbout.

Moved

Both

License

Go to Settings & InfoSettingsCortex XSOAR license.

Moved

Both

License Management

Managed by Cortex's DevOps team.

Removed

Cloud

License - Customer Name

Removed in Cortex XSOAR 8.

Will be added soon.

Temporarily removed

Both

Troubleshooting Page

Now under Settings & InfoSettingsSystemServer Settings.

Login message, logo, and import and export content remain the same.

Removed

Both

TroubleshootingLogs

Logs (including log level and download)

Removed

Cloud

Downloading a log bundle is done from the System Diagnostics page.

Changed

On-prem

TroubleshootingServer Configurations

Server Configurations: Select from a dropdown list. Some server configurations have been removed.

Limited

Both

TroubleshootingTime Configuration

Timezone and format can be set from user preferences.

Changed

Both

TroubleshootingTelemetry

Telemetry settings are removed from Cortex XSOAR 8.

Removed

Both

System Diagnostics

System Diagnostics was removed from Cortex XSOAR 8.

Removed

Cloud

Settings (USERS AND ROLES)

Users

There is no Default Admin in Cortex XSOAR 8. Some permissions granted to Default Admins in Cortex XSOAR 6 are now granted only to users with Instance Administrator or Account Admin roles. This includes access to:

  • Long Running Integrations (Settings & InfoSETTINGSIntegrationsLong Running Integrations)

  • Access Management (whole section Settings & InfoSETTINGSAccount Management)

  • Security Settings (Settings & InfoSETTINGSSystemSecurity Settings)

Changed

Both

Threat Intel

Manually share indicators between tenants in a multi-tenant deployment.

Removed

Both

High Availability

If you deploy a cluster of three or more nodes, the system automatically implements built-in High Availability. For more information, see High Availability for Cortex XSOAR.

Changed

On-prem

Disaster Recovery

Will be added.

Temporarily removed

On-prem

MT/MSSP

In Cortex XSOAR 8 Cloud, create and manage parent and child tenants in Cortex Gateway.

For Cortex XSOAR 8 On-prem: Coming soon

Changed

Both

Air-gapped installtion

Will be added soon.

Temporarily removed

On-prem

For further information or general queries about the feature changes, contact the Product Team.