Cortex XSOAR Releases - Cortex XSOAR - Cortex - Security Operations

Multi-tenant support for child tenant name changes: Simplify tenant management by renaming child tenants from within the Cortex Gateway. You now have the flexibility to ensure tenant names consistently reflect current business requirements, maintaining operational clarity across large-scale SOC deployments.

Organized content management: Easily distinguish between your custom work and content pack items with a dedicated workspace for each. To ensure a cleaner view, we moved all content pack items to the Content Pack Items page, while the Content Items page is now reserved exclusively for your custom creations.

Enhanced audit logs: Gain full visibility and meet compliance requirements with expanded auditing for notification forwarding and content management. You can now track configuration changes for notifications and high-stakes content lifecycle events, such as pushing content to production, directly within the Management Audit log.

Contextual playbook documentation: We have introduced Info Mode to the playbook editor, allowing you to view detailed task and section descriptions directly within your workflow.

New Rapid Response Playbook: Automate the detection and mitigation of CVE-2025-59287, a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS) caused by insecure deserialization.

Improve playbook unlocking: Ensure your team can edit their automation workflows with automatic or manual playbook unlocking. The system now clears locks immediately when a user logs out or when a session expires

Conflict-free playbook: Prevent concurrent playbook editing with this enhancement, ensuring your team can build and modify automation workflows without conflicts.

Unique task logos: Boost clarity, quickly distinguish between integration commands, custom scripts, and system actions with playbook tasks that display unique logos and content pack indicators.

Unit 42 Threat Intelligence content pack: A new Unit 42 content pack provides high-value integrations that leverage Unit 42’s world-class threat intelligence, research, and analysis, replacing several deprecated packs (like AutoFocus and Unit 42 ATOMs Feed). To complete this migration, configure the new Unit 42 Feed and Enrichment integrations, update all related playbooks, and disable the old integrations.

Advanced search for playbooks and scripts: Easily find and use existing scripts and playbooks by searching for specific text within scripts or by searching the names of scripts, tasks, and third-party integrations within playbooks.

Clear incidents waiting in the ingestion queue: Regain control during incident floods and ensure critical playbooks run smoothly, preventing bottlenecks and facilitating rapid self-recovery.

Generic Webhook integration enhancements: Easily ingest external data without an API integration and connect with diverse services with support for header-based authentication and a simplified setup experience.

Automatically export incidents: For customers who need to store incidents beyond their retention period, XSOAR can automatically export incidents to external storage, enabling indefinite retention and continued access to historical incident data.

Support for additional Cortex XSOAR APIs: The expanded API support enables organizations to reset the ROI widget, update existing lists, get a list, upload files, and clone playbooks so they can better fine-tune automated incident workflows and integrations.

A new look and feel for playbooks: The latest enhancements in user experience improve playbook readability and clarity through an updated look and feel.

Collapsible playbook sections: The updated collapsible playbook sections enable users to stay focused on the relevant playbook details without distractions, allowing for easier navigation through complex playbooks and increased productivity.

Unlimited user license for development tenants: With no license limit for users on development tenants, you can build, test, and refine automations at scale. This drives faster innovation, more reliable workflows, and scalable solutions as your organization grows.

Notifications for deprecated content: New automated user notifications about deprecated playbooks, sub-playbooks, and scripts ensure updated, effective, and accurate security workflows.

Canvas -Multilayer indicator/incident relationship graph: SOC analysts can now create and share dynamic attack diagrams or static snapshots with incident response, forensics, and threat-hunting teams.

The Guard Rails page: Cortex XSOAR 8 now includes the Guard Rails page, which shows performance-related errors and warnings that can be used as a guide to detect and prevent actions that may cause a decline in performance or instability.

Exclude enrichment of indicators: Indicators can now be marked as Enrichment Excluded in Cortex XSOAR, ensuring they will not be enriched. This gives you better control over your Indicators and the ability to optimize system performance by managing the indicator enrichment process.

Audit logs: Audit log coverage is expanded to capture detailed records of incident edits, including the modified fields. This improvement ensures a comprehensive record of all changes, significantly enhancing the ability to trace the incident's history and evolution.

Seamlessly migrate all your data, configurations, and settings, including indicators and incidents from Cortex XSOAR 6.13 On-prem to Cortex XSOAR 8 Cloud using a built-in wizard streamlining the migration process.

To effectively investigate an incident and analyze associated indicators, the SOC analyst must have access to up-to-date data and a clear view of the most recent changes made to the relevant indicators, as well as the initial entries of indicator changes.

When generating a report, you can choose the timezone to ensure accurate and localized reporting for users working in multiple geographical locations.

Admin users can manage notification distribution by adding or removing tenant’s stakeholders' email addresses on the Server Settings page without the need to add them first on the tenant. This feature streamlines communication and simplifies administration.

You can create API keys with multiple roles to improve operational efficiency and allow dynamic RBAC management of API keys.

The Administrator can restrict designated users' access to specific dashboards through role assignment.

Cortex XSOAR has an API endpoint for GET, CREATE, UPDATE, and DELETE for API keys.

You can change the color of the favicon for each tenant, which allows you to identify which tenant is being used in each tab at a glance.

Enable communication between SOC analysts (MT/MSSP)

Keep Retained Incidents

Assign retention licenses for MT deployments

Content repository improvements

Customize system emails

Use an authenticated Docker image

In-app documentation

Private repository support in a dev/prod environment

Export incidents to Excel

Authenticated communication tasks

Define credentials for long-running integrations

SSO improvements

Improved Auditing

Manage User Groups in the Cortex Gateway

Manage RBAC settings in the Cortex Gateway

Improved Navigation

Improved Indicator Verdict Calculation

XSOAR 8 now offers Cortex XSOAR multi-tenant, designed for managed security service providers and enterprises requiring strict data segregation with the flexibility to share and manage critical security practices across tenant accounts.

Role permissions have been updated to separate some administration permissions.

You can now subscribe to content pack updates in Marketplace.

Improved UI for Data Collection and Ask tasks in Playbooks, and a simplified search for playbooks with free text search.

Improvements to the Default Playbook.

Integration into the Cortex platform:

Improved performance and reliability

High scalability based on a revamped architecture that utilizes cloud features

Built-in Git Repository for sharing data between development and production instances

Contextual playbook documentation: We have introduced Info mode to the playbook editor, allowing you to view detailed task and section descriptions directly within your workflow. This update provides essential context and guidance at a glance, helping you understand and navigate complex automated processes without leaving the editor view.

Maintain uptime with automatic storage expansion: Maintain continuous application uptime by preventing service interruptions caused by full disks. We added an "Auto Expand" feature in the TUI that automatically increases storage capacity when usage hits 85%.

Conflict-free playbook editing: Prevent concurrent playbook editing with this enhancement, ensuring your team can build and modify automation workflows without conflicts.

Unique task logos: Boost clarity, quickly distinguish between integration commands, custom scripts, and system actions with playbook tasks that display unique logos and content pack indicators.

Forward logs to your syslog server: Enable centralized monitoring and satisfy log retention requirements by forwarding Management Audit, Integration, and Guard Rails logs to your preferred syslog server.

Advanced search for playbooks and scripts: Easily find and use existing scripts and playbooks by searching for specific text within scripts or by searching the names of scripts, tasks, and third-party integrations within playbooks.

Clear incidents waiting in the ingestion queue: Regain control during incident floods and ensure critical playbooks run smoothly, preventing bottlenecks and facilitating rapid self-recovery.

Generic Webhook integration enhancements: Easily ingest external data without an API integration and connect with diverse services with support for header-based authentication and a simplified setup experience.

The expanded API enables organizations to reset the ROI widget, update existing lists, get a list, upload files, and clone playbooks to better fine-tune automated incident workflows and integrations.

The Cortex XSOAR 8.10 release also includes the following bug fix highlights:

A new look and feel for playbooks: The latest enhancements in user experience improve playbook readability and clarity through an updated look and feel.

Collapsible playbook sections: The updated collapsible playbook sections enable users to stay focused on the relevant playbook details without distractions, allowing for easier navigation through complex playbooks and increased productivity.

Unlimited user license for development tenants: With no license limit for users on development tenants, you can build, test, and refine automations at scale. This drives faster innovation, more reliable workflows, and scalable solutions as your organization grows.

Notifications for deprecated content: New automated user notifications about deprecated playbooks, sub-playbooks, and scripts ensure updated, effective, and accurate security workflows.

Export and delete incidents: Enhance incident data management by enabling administrators to export and delete incidents for regulatory and storage requirements. This helps minimize data exposure, ensures efficient and secure management of incident data retention, and helps free up disk space to optimize system performance.

Use an authenticated Docker image repository: Use a custom container registry with your authentication credentials to apply custom images created on a private machine. Using your registry enables you to manage access permissions, ensuring only authorized users can pull and use the custom images. This protects sensitive information and enables more secure and controlled deployment of custom images within the Cortex XSOAR environment.

Cortex XSOAR multi-tenant: Cortex XSOAR 8 On-prem now offers the following:

Backup and restore of configurations and data: Continuous and efficient operation of your Cortex XSOAR tenant by periodically backing up your tenant, which enables you to recover data, configurations, and settings.

Canvas - Multilayer Indicator/Incident Relationship Graph: SOC analysts can now create and share dynamic attack diagrams or static snapshots with IR, forensics, and threat-hunting teams. This enables them to visualize and link key security incidents and IOCs for faster and more streamlined investigation.

Cortex XSOAR On-prem now supports:

To effectively investigate an incident and analyze associated indicators, the SOC analyst must have access to up-to-date data and a clear view of the most recent changes made to the relevant indicators, as well as the initial entries of indicator changes.

Cortex XSOAR now supports teams working in different locations, enabling the user to select the timezone of the report.

Cortex XSOAR can now run more playbooks per hour for medium and large-scale deployments

Cortex XSOAR Cluster High Availability: Cortex XSOAR On-prem cluster, with three or more nodes, includes high availability capabilities to improve reliability for critical security operations.

Enhanced role-based access control for dashboards: The Administrator can now restrict access to specific dashboards for designated users through role assignment.

Multi-role API keys: You can now create API keys with multiple roles to improve operational efficiency and allow dynamic RBAC management of API keys.

New endpoint for managing API keys using the API: Cortex XSOAR now has an API endpoint for GET, CREATE, UPDATE, and DELETE for API keys.

Customize the favicon color: You can now change the color of the favicon for each tenant. This allows you to identify which tenant is being used in each tab at a glance.

Integration into the Cortex platform:

Improved performance and reliability

High scalability based on a revamped architecture

User-friendly installation with an easy-to-follow step-by-step TUI to install and configure Cortex XSOAR:

Migration from Cortex XSOAR 6 MSSP/multi-tenant to Cortex XSOAR 8 cloud MSSP/multi-tenant. To start the migration, users need to upgrade to this version. For more information about the migration process, see the Cortex XSOAR Migration Guide.

Cortex XSOAR 6.14 now supports:

Migration from Cortex XSOAR 6 On-prem to Cortex XSOAR 8 Cloud is now available. To start the migration, users need to upgrade to this version. For more information about the migration process, see the Cortex XSOAR Migration Guide.

Cortex XSOAR 6.13 now supports:

Migration from Cortex XSOAR 6 to 8 is available for Hosted customers

Cortex XSOAR supports RHEL v8.8 and v9.0

Edit a list installed from a content pack by detaching it

The reputationCalcAsync argument is now available for the addEntries command

The list.<listName>.separator and list.separator server configurations now support tabs as list separators, using \t

Improved Upgrade Process for Multi-Tenant Deployments

After deleting a user, you can now clear the user's data from content, such as active incidents and investigations, automations, etc.

Substantial improvements of playbook performance, including context operations, indicator extraction, and playbook execution.

New Menu Navigation

Role Permissions have been updated for more granular control.

Communication task links in Context Data: When running an Ask or Data Collection task, links are generated to collect the recipients' responses and are now available in the incident's context data.

Content Security Policy: You can now enable Content Security Policy (CSP), which adds a layer of security, including detecting and mitigating certain types of attacks.

Quiet Mode for Manual Tasks: You can now turn Quiet mode on or off for individual manual tasks in a playbook.

Documentation Portal: Documentation for all Cortex products, including Cortex XSOAR, has moved to https://docs-cortex.paloaltonetworks.com/.

Deployment Wizard: When installing or updating content packs, the DEPLOYMENT WIZARD tab guides you step-by-step to adopt your use case (including Phishing and Malware), significantly reducing the setup time.

SAML 2.0 Configuration: You can now let administrators manually enter certain user information fields when configuring SAML 2.0, which persists if those fields are not provided by the SAML third-party provider.

Zoom level:  When switching between playbooks, the user's zoom level is now preserved (in = more detail, out = larger view).

Added a warning message when viewing comments in incidents: (Multi-Tenant) Added a warning message when handling bulk incidents to prevent customer information from being unintentionally shared with other customers.