Cortex XSOAR (Demisto) 5.5 New Features

Community Team Member

Cortex XSOAR (Demisto) 5.5 New FeaturesCortex XSOAR (Demisto) 5.5 New Features

 

Cortex XSOAR 5.5 (formerly known as Demisto) has been released, and it has been updated with a detailed list of new features that include new Threat Intel Management features, Intel feeds, Playbooks, Incident features, User Management, and more General Features. All of these new features will help improve how you deal with daily challenges using Cortex XSOAR.

 

Please see the following new features that have been categorized by product component.

  • Threat Intel Management
  • Playbooks
  • Incidents
  • Dashboards and Widgets
  • User Management
  • API
  • Multi-tenant
  • General Features

 

 

Threat Intel Management*

FEATURE DESCRIPTION
Threat intel management Threat intel management capabilities are designed to ingest, process, and export a large amount of indicators, further automating your security ecosystem. By default, the threat intelligence management infrastructure runs on the internal database. We recommend that you migrate your indicators to a dedicated Elasticsearch database.
NOTE: Full threat intel management capabilities requires a separate license.
Threat intel feeds

Cortex XSOAR now has several threat intelligence feed integrations, both generic and vendor-specific that fetch indicators according to a specified query, which enable you to automate threat intelligence management.

 

Cortex XSOAR ingests and processes indicator sources from these threat intel feeds and exports the enriched intelligence data to SIEMs, firewalls, and other systems.

Elasticsearch database You can now store indicators, and indicator data, in a dedicated Elasticsearch index. Use the tool to migrate existing indicators to the Elasticsearch index.
Export indicators You can export indicators to a file, an EDL, or as a TAXII service to update your SIEM, proxy server, and firewall.
Share indicators (Multi-Tenant) You can now share indicators between tenant accounts in an Elasticsearch index. You can define which local indicators to export from a tenant to a shared indicator index. On the master account, you can define which indicators are pushed to shared tenant accounts.
EnrichIndicators Command Added the enrichIndicators command, which supports enriching all indicator types.

 

 

Playbooks*

FEATURE DESCRIPTION
Skip a playbook task when an integration or automation is unavailable

You can skip a playbook task, or branch when an integration is unavailable or disabled. If the playbook contains a task or branch which contains an unavailable or disabled integration, the task is ignored and the playbook continues to execute, otherwise the playbook fails.

 

To enable this feature for a task, select the Skip this branch... check box in the Advanced section of the playbook task.

Improve loop performance When defining a loop in a sub-playbook, you can now determine the number of times the loop runs and the amount of time to wait between each time it runs.
Ignore outputs You can now limit the information in the Context Data to the key-value pair you define in the Extend context field. For example, if querying certain criteria returns numerous fields, event counts, and descriptions, you may want to ignore the output that includes fields.
Quiet mode You can configure a playbook, or playbook task, to neither display inputs and outputs, nor write information to the War Room, which substantially improves performance by increasing playbook speed and saving database size.
NOTE: Outputs are still written to content. If you want to disable Outputs ensure you use the Ignore Outputs feature.
Edit sub-playbook task names You can now edit the task name for a sub-playbook, which enables you to give a better context to the playbook.
Customize Communication Task message layout You can now select the color of the email header, body, and buttons, as well as customize text of the message header and button text.
Run Communication tasks using an engine You can now run communication tasks through an engine, which allows users to continue to respond to these tasks when network access to Cortex XSOAR needs to be restricted.

 

 

Incidents*

FEATURE DESCRIPTION
Action buttons on incident summary page You can configure a Button field to include in an incident or indicator layout, which executes a script when the user clicks the button. For example, you can add a button that executes a script to add an indicator to the exclusion list.
Export custom incident types You can export custom incident types in JSON format, as an array of incident type objects. Keep in mind that you can’t export system incident types.
Added the Created By incident field The Created By incident field enables you to track the user that created the incident/ticket. You can add this field to the layout for any incident type.

 

 

Dashboards and Widgets*

FEATURE DESCRIPTION
Edit a widget query In the widget library, when editing a widget, you can change and save the Data Query. This enables you to add the widget with the updated data query to a dashboard and report.
Create script-based widgets You can create script-based widgets in the user interface by selecting Scripts as the Data Type. This functionality was previously only available by editing a script JSON file.

 

 

User Management*

FEATURE DESCRIPTION
Role for analyst shift management Added the ability to define analyst shifts, which enables you to easily identify on-shift analysts for incident assignment. Shifts also help the system determine suggested analysts for incident assignment.
Enable and disable users As an Administrator, you can enable or disable users.
NOTE: Disabled users are not counted for a license.
Password policy Set a password policy for all internal users in Cortex XSOAR. The password policy enables you to set password complexity requirements, as well as set the password expiry date and more.
Role-based bulk changes You can configure the bulk changes users can make to incidents that are listed in the table view of the Incidents page. For each role in the Roles page of User and Roles settings, you can select the Incident table actions that the user can perform in bulk.
Toggle keyboard shortcuts Each user can enable or disable the various keyboard shortcuts in Cortex XSOAR. Some keyboard layouts, such as Apple Mac, European and Asian keyboards may conflict with Cortex XSOAR shortcuts.
NOTE: Command line shortcuts still work even when keyboard shortcuts are disabled.
Active Directory phone number field The value of the Active Directory phoneNumber field maps to the Phone Number field in Cortex XSOAR.

 

 

API*

FEATURE DESCRIPTION
Workers status You can view worker information such as the number of workers available, how many are busy, and more, by using the following REST API call:
GET /workers/status
Delete dashboards created by users no longer in the system It is possible to delete or unshare dashboards that were created by users who are no longer in the system using the following REST API calls.
  • DELETE '/dashboards/:id'
  • POST '/dashboards/unshare/:id'
Docker container status

Cortex XSOAR exposed an API that enables you to get health information about your containers, including how many are active, inactive, and how many containers you have in total.

 

The API is available using:
GET /health/containers

 

 

Multi-Tenant*

FEATURE DESCRIPTION
Selective propagation Synchronize content to tenants by using matching propagation labels on the content item and the tenant.
Dev/Prod support You can now use the Remote Repository feature in Multi-tenant environments. This enables you to develop content on one machine, push it to the Master environment, and synchronize the content with the different tenants using propagation labels.

 

 

General Features

FEATURE DESCRIPTION
Add PowerShell scripting support You can create automations and integrations using PowerShell. Cortex XSOAR supports PowerShell Core.
Tags field type Added the Tags field type for incidents and indicator fields, which accepts a comma-separated list for its value. Once defined, you can easily search for the incident tags, such as severity, value, campaign name, and so on, as you would any other field.
Multiple file drag and drop You can drag and drop files and images into the War Room.
Machine learning You can now build a machine learning model through the UI, which enables Cortex XSOAR to analyze and predict behavior through incident types and fields. The model uses past incidents that have already been classified to classify incoming events automatically.
Reorder Dashboards You can reorder the different dashboard pages using drag and drop.
Add tags and mark as evidence/note In the Upload files dialog box, when adding a file entry to an incident, you can mark the file as evidence or a note, and add any tags, rather than upload the file and then add comments. Useful if you use numerous tags and saves time by entering the information at the point of upload.
Permanently delete files Users with admin privileges can permanently delete files, such as sensitive data, or where files are uploaded in error, from the War Room. Permanently deleted files cannot be restored.
Navigation side bar You can now pin the navigation side bar to the minimized position.
Batch edit indicators In the indicators table, you can select multiple indicators and perform a batch edit. If you batch edit indicators of different indicator types, you can only batch edit the fields that are part of the default indicator layout.
Pending Tasks view By default, the first task in the "Waiting for action" section is automatically expanded which enables you to deal quickly with the pending task and speeds up work-flows, rather than having to open the first task manually.
Indicators section for incidents By default, the indicators section of an incident displays 100 indicators per page. You can also select the page you want to view.
Server starting message The Server is starting page now displays at the beginning of the process. In some cases, such as re-indexing, the server might take a while to start. It’s important that you do not restart the service while the server is starting to avoid killing any active processes.
Default values for transformation script arguments The default values for transformers’ script arguments are automatically applied in cases when they were not supplied by a user.
Custom separators Prior to this version, you could only separate list items with a comma. You can now use custom, single character separators, for example a semicolon, to separate list items. The custom separator can be applied globally (to all lists), or on the list level.

* = This information has been reprinted from the Cortex XSOAR release notes found in TechDocs: Cortex XSOAR 5.5 Release Notes

 

 

More Information

For more information about all of the features that have been included in past versions of Cortex XSOAR, which includes new features, Addressed Issues, Breaking Changes, and Minor Releases, please see the release notes page here:

Cortex XSOAR Release Information

 

For all Cortex XSOAR documentation on our TechDocs website, including the release notes, Admin Guides, Multi-Tenant Guide, Threat Intel Management guide and more, please see:

TechDocs - Cortex XSOAR

 

 

Thanks for taking time to read my blog.

If you enjoyed this, please hit the Like (thumbs up) button and don't forget to subscribe to the LIVEcommunity Blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

1,045 Views
Comments
L1 Bithead

Do you know where can one find info about audit logs on the activities of the users inside XSOAR?

953 Views
Ask Questions Get Answers Join the Live Community
Labels