Cortex XSOAR Releases - Cortex XSOAR - Cortex - Security Operations

You can create API keys with multiple roles to improve operational efficiency and allow dynamic RBAC management of API keys.

The Administrator can restrict access to specific dashboards for designated users through role assignment.

Cortex XSOAR has an API endpoint for GET, CREATE, UPDATE, and DELETE for API keys.

You can change the color of the favicon for each tenant, which allows you to identify which tenant is being used in each tab at a glance.

Integration into the Cortex platform:

Improved performance and reliability

High scalability based on a revamped architecture

User-friendly installation with an easy-to-follow step-by-step TUI to install Cortex XSOAR and configure:

Enable communication between SOC analysts (MT/MSSP)

Keep retained incidents

Assign retention licenses for MT deployments

Content repository improvements

Customize system emails

Use an authenticated docker image

In-app documentation

Private repository support in a dev/prod environment

Export incidents to Excel

Authenticated communication tasks

Define credentials for long-running integrations

SSO improvements

Migration from Cortex XSOAR 6 to 8 is available for Hosted customers

Cortex XSOAR supports RHEL v8.8 and v9.0

Edit a list installed from a content pack by detaching it

The reputationCalcAsync argument is now available for the addEntries command

The list.<listName>.separator and list.separator server configurations now support tabs as list separators, using \t

Improved Auditing

Mange User Groups in the Cortex Gateway

Manage RBAC settings in the Cortex Gateway

Improved Navigation

Improved Indicator Verdict Calculation

XSOAR 8 now offers Cortex XSOAR Multi-Tenant, which is designed for managed security service providers and enterprises that require strict data segregation with the flexibility to share and manage critical security practices across tenant accounts.

Role permissions have been updated to separate some administration permissions.

You can now subscribe to content pack updates in Marketplace.

Improved UI for Data Collection and Ask tasks in Playbooks and a simplified search for playbooks with free text search.

Improvements to the Default Playbook.

Improved Upgrade Process for Multi-Tenant Deployments

After deleting a user, you can now clear the user's data from content, such as active incidents and investigations, automations, etc.

Substantial improvements of playbook performance including context operations, indicator extraction and playbook execution.

New Menu Navigation

Role Permissions have been updated for more granular control.

Integration into the Cortex platform:

Improved performance and reliability

High scalability based on revamped architecture that utilizes cloud features

Built-in Git Repository for sharing data between development and production instances

Communication task links in Context Data: When running an Ask or Data Collection task, links are generated to collect the recipients' responses and are now available in the incident's context data.

Content Security Policy: You can now enable Content Security Policy (CSP), which adds a layer of security including detecting and mitigating certain types of attack.

Quiet Mode for Manual Tasks: You can now turn quiet mode on or off for individual manual tasks in a playbook.

Documentation Portal: Documentation for all Cortex products including Cortex XSOAR has moved to https://docs-cortex.paloaltonetworks.com/.

Deployment Wizard: When installing or updating content packs, the DEPLOYMENT WIZARD tab guides you step-by-step to adopt your use case (including Phishing and Malware), significantly reducing the setup time.

SAML 2.0 Configuration: You can now let administrators manually enter certain user information fields when configuring SAML 2.0, which persist if those fields are not provided by SAML third-party provider.

Zoom level:  When switching between playbooks, the user's zoom level is now preserved (in = more detail, out = larger view).

Add a warning message when viewing comments in incidents: (Multi-Tenant) Added a warning message, when handling bulk incidents to prevent customer information being unintentionally shared with other customers.

Deployment Wizard: When installing or updating the Malware content pack, a new DEPLOYMENT WIZARD tab guides you step-by-step to quickly adopt the Malware use case.

Error handling in playbooks: When creating/editing a standard task that uses an automation or a conditional task that uses an automation, if the the task errors, the playbook continues on an error path.

New custom playbooks set to quiet mode: When creating a new custom playbook, by default, the playbook is set to Quiet Mode to improve system performance.

Exclude items from local changes in remote repositories: Exclude content items in your development environment from syncing with your production machine.

HTTP,  HTTPS, and SSH are supported for remote repositories: Connect to a remote repository using HTTP,  HTTPS, or SSH.

API keys creation: Select which roles have read and read/write permission when creating API keys.

Indicator field Trigger Scripts: Associate indicator fields with trigger automation scripts that check for field changes, and then take actions based on them.

Dynamic layouts and fields: When customizing an indicator/indicator layout add a filter.

Saved Query Sharing: Share saved queries with specific roles.

Enhanced RBAC: More granularity to the RBAC roles page.