Cortex XSOAR Releases - Cortex XSOAR - Cortex - Security Operations

A new look and feel for playbooks: The latest enhancements in user experience improve playbook readability and clarity through an updated look and feel.

Collapsible playbook sections: The updated collapsible playbook sections enable users to stay focused on the relevant playbook details without distractions, allowing for easier navigation through complex playbooks and increased productivity.

Unlimited user license for development tenants: With no license limit for users on development tenants, you can build, test, and refine automations at scale. This drives faster innovation, more reliable workflows, and scalable solutions as your organization grows.

Notifications for deprecated content: New automated user notifications about deprecated playbooks, sub-playbooks, and scripts ensure updated, effective, and accurate security workflows.

Canvas -Multilayer indicator/incident relationship graph: SOC analysts can now create and share dynamic attack diagrams or static snapshots with incident response, forensics, and threat-hunting teams.

The Guard Rails page: Cortex XSOAR 8 now includes the Guard Rails page, which shows performance-related errors and warnings that can be used as a guide to detect and prevent actions that may cause a decline in performance or instability.

Exclude enrichment of indicators: Indicators can now be marked as Enrichment Excluded in Cortex XSOAR, ensuring they will not be enriched. This gives you better control over your Indicators and the ability to optimize system performance by managing the indicator enrichment process.

Audit logs: Audit log coverage is expanded to capture detailed records of incident edits, including the modified fields. This improvement ensures a comprehensive record of all changes, significantly enhancing the ability to trace the incident's history and evolution.

Seamlessly migrate all your data, configurations, and settings, including indicators and incidents from Cortex XSOAR 6.13 On-prem to Cortex XSOAR 8 Cloud using a built-in wizard streamlining the migration process.

To effectively investigate an incident and analyze associated indicators, the SOC analyst must have access to up-to-date data and a clear view of the most recent changes made to the relevant indicators, as well as the initial entries of indicator changes.

When generating a report, you can choose the timezone to ensure accurate and localized reporting for users working in multiple geographical locations.

Admin users can manage notification distribution by adding or removing tenant’s stakeholders' email addresses on the Server Settings page without the need to add them first on the tenant. This feature streamlines communication and simplifies administration.

You can create API keys with multiple roles to improve operational efficiency and allow dynamic RBAC management of API keys.

The Administrator can restrict designated users' access to specific dashboards through role assignment.

Cortex XSOAR has an API endpoint for GET, CREATE, UPDATE, and DELETE for API keys.

You can change the color of the favicon for each tenant, which allows you to identify which tenant is being used in each tab at a glance.

Enable communication between SOC analysts (MT/MSSP)

Keep Retained Incidents

Assign retention licenses for MT deployments

Content repository improvements

Customize system emails

Use an authenticated docker image

In-app documentation

Private repository support in a dev/prod environment

Export incidents to Excel

Authenticated communication tasks

Define credentials for long-running integrations

SSO improvements

Improved Auditing

Manage User Groups in the Cortex Gateway

Manage RBAC settings in the Cortex Gateway

Improved Navigation

Improved Indicator Verdict Calculation

XSOAR 8 now offers Cortex XSOAR multi-tenant, designed for managed security service providers and enterprises requiring strict data segregation with the flexibility to share and manage critical security practices across tenant accounts.

Role permissions have been updated to separate some administration permissions.

You can now subscribe to content pack updates in Marketplace.

Improved UI for Data Collection and Ask tasks in Playbooks and a simplified search for playbooks with free text search.

Improvements to the Default Playbook.

Integration into the Cortex platform:

Improved performance and reliability

High scalability based on a revamped architecture that utilizes cloud features

Built-in Git Repository for sharing data between development and production instances

A new look and feel for playbooks: The latest enhancements in user experience improve playbook readability and clarity through an updated look and feel.

Collapsible playbook sections: The updated collapsible playbook sections enable users to stay focused on the relevant playbook details without distractions, allowing for easier navigation through complex playbooks and increased productivity.

Unlimited user license for development tenants: With no license limit for users on development tenants, you can build, test, and refine automations at scale. This drives faster innovation, more reliable workflows, and scalable solutions as your organization grows.

Notifications for deprecated content: New automated user notifications about deprecated playbooks, sub-playbooks, and scripts ensure updated, effective, and accurate security workflows.

Export and delete incidents: Enhance incident data management by enabling administrators to export and delete incidents for regulatory and storage requirements. This helps minimize data exposure, ensures efficient and secure management of incident data retention, and helps free up disk space to optimize system performance.

Use an authenticated Docker image repository: Use a custom container registry with your authentication credentials to apply custom images created on a private machine. Using your registry enables you to manage access permissions, ensuring only authorized users can pull and use the custom images. This protects sensitive information and enables more secure and controlled deployment of custom images within the Cortex XSOAR environment.

Cortex XSOAR multi-tenant: Cortex XSOAR 8 On-prem now offers the following:

Backup and restore of configurations and data: Continuous and efficient operation of your Cortex XSOAR tenant by periodically backing up your tenant, which enables you to recover data, configurations, and settings.

Canvas - Multilayer Indicator/Incident Relationship Graph: SOC analysts can now create and share dynamic attack diagrams or static snapshots with IR, forensics, and threat-hunting teams. This enables them to visualize and link key security incidents and IOCs for faster and more streamlined investigation.

Cortex XSOAR On-prem now supports:

To effectively investigate an incident and analyze associated indicators, the SOC analyst must have access to up-to-date data and a clear view of the most recent changes made to the relevant indicators, as well as the initial entries of indicator changes.

Cortex XSOAR now supports teams working in different locations, enabling the user to select the timezone of the report.

Cortex XSOAR can now run more playbooks per hour for medium and large-scale deployments

Cortex XSOAR Cluster High Availability: Cortex XSOAR On-prem cluster, with three or more nodes, includes high availability capabilities to improve reliability for critical security operations.

Enhanced role-based access control for dashboards: The Administrator can now restrict access to specific dashboards for designated users through role assignment.

Multi-role API keys: You can now create API keys with multiple roles to improve operational efficiency and allow dynamic RBAC management of API keys.

New endpoint for managing API keys using the API: Cortex XSOAR now has an API endpoint for GET, CREATE, UPDATE, and DELETE for API keys.

Customize the favicon color: You can now change the color of the favicon for each tenant. This allows you to identify which tenant is being used in each tab at a glance.

Integration into the Cortex platform:

Improved performance and reliability

High scalability based on a revamped architecture

User-friendly installation with an easy-to-follow step-by-step TUI to install and configure Cortex XSOAR:

Migration from Cortex XSOAR 6 MSSP/multi-tenant to Cortex XSOAR 8 cloud MSSP/multi-tenant. To start the migration, users need to upgrade to this version. For more information about the migration process, see the Cortex XSOAR Migration Guide.

Cortex XSOAR 6.14 now supports:

Migration from Cortex XSOAR 6 On-prem to Cortex XSOAR 8 Cloud is now available. To start the migration, users need to upgrade to this version. For more information about the migration process, see the Cortex XSOAR Migration Guide.

Cortex XSOAR 6.13 now supports:

Migration from Cortex XSOAR 6 to 8 is available for Hosted customers

Cortex XSOAR supports RHEL v8.8 and v9.0

Edit a list installed from a content pack by detaching it

The reputationCalcAsync argument is now available for the addEntries command

The list.<listName>.separator and list.separator server configurations now support tabs as list separators, using \t

Improved Upgrade Process for Multi-Tenant Deployments

After deleting a user, you can now clear the user's data from content, such as active incidents and investigations, automations, etc.

Substantial improvements of playbook performance, including context operations, indicator extraction, and playbook execution.

New Menu Navigation

Role Permissions have been updated for more granular control.

Communication task links in Context Data: When running an Ask or Data Collection task, links are generated to collect the recipients' responses and are now available in the incident's context data.

Content Security Policy: You can now enable Content Security Policy (CSP), which adds a layer of security, including detecting and mitigating certain types of attacks.

Quiet Mode for Manual Tasks: You can now turn Quiet mode on or off for individual manual tasks in a playbook.

Documentation Portal: Documentation for all Cortex products, including Cortex XSOAR, has moved to https://docs-cortex.paloaltonetworks.com/.

Deployment Wizard: When installing or updating content packs, the DEPLOYMENT WIZARD tab guides you step-by-step to adopt your use case (including Phishing and Malware), significantly reducing the setup time.

SAML 2.0 Configuration: You can now let administrators manually enter certain user information fields when configuring SAML 2.0, which persists if those fields are not provided by the SAML third-party provider.

Zoom level:  When switching between playbooks, the user's zoom level is now preserved (in = more detail, out = larger view).

Added a warning message when viewing comments in incidents: (Multi-Tenant) Added a warning message when handling bulk incidents to prevent customer information from being unintentionally shared with other customers.