Cortex XSOAR 6.8 —It’s a Wizard of a Release!

What are wizards good for in the world of cybersecurity? Unfortunately, not for magically unlocking ransomware, but our new Cortex Marketplace Deployment Wizard can speed you through an entire use case configuration process. Having a new use case set up and running in your SOC in a matter of minutes?  That’s sorcery indeed.

Use Case Deployment Wizard

We will be introducing the Deployment Wizard to guide you through the configuration process for our brand new Malware and Investigation and Response pack.

Use case configuration wizard

Use case configuration wizard

Suspiciously Malicious?

Determining if alerts from your endpoint security tools for unknown activity is malicious often involves coordinating between multiple security tools. It’s a cross-referencing nightmare with multiple consoles open simultaneously and valuable time spent performing repetitive manual tasks.

Our new Malware Investigation and Response pack helps you determine if unknown software is behaving maliciously. Speed up investigation and save time in making critical decisions by unifying the processes across your SIEMs and endpoint tools into a single workflow and performing repetitive steps before bringing your analysts in.  

This pack automates many steps of the investigation process. It performs queries to  identify if there is evidence of malicious activity (lateral movement, persistence, evasion), analyzes sandbox detonation results, retrieves forensic data, and provides response action short-cuts (with playbooks running behind the scenes) to isolate endpoints, delete or terminate processes, or update your allow/deny lists. 

More details are coming soon! And you can check out the pack and wizard in our Cortex Marketplace

Be a Subscriber

You can now subscribe to content packs in the Cortex Marketplace and be notified via email or Slack when a pack is updated.

Subscribe for content pack update notifications

Subscribe for content pack update notifications

With XSOAR 6.8, we’ve added features to lower the mean time to production (MTTP) for automation use cases, which in turn can help you streamline your processes and lower your response time. Here are a few more features in this release:

Take Control of Your Errors A feature requested by our customers, playbook error handling, allows you to visually identify where a task errored out during a playbook run. When you see this error displayed on playbook run, you can choose to stop the playbook or continue to the next task.

Playbook showing error paths

Playbook showing error paths

For example, a task to quarantine an endpoint might fail if it is unable to connect to said endpoint. When you are building the playbook, you can configure the error path in advance, so in the event of this error, the playbook can perform a different operation, such as notifying IT of the problem. 

Error path operations that can be performed include sending an email to IT or a SOC lead, creating a service ticket in your ITSM, notifying via PagerDuty, or updating a field on the incident so it shows up on your SOC dashboard. With this feature, you can create generic error playbooks to take specific actions for tasks you know are prone to error, or for vendor integrations to products that may not be reliable. 

Is this a Good Time to Call (your API)?

You can now track API rate limiting for your product integrations in XSOAR. This helps you better understand the API call performance and results for tools you use frequently in the SOC. You can track and monitor how an integration is consuming resources, utilizing quotas, or failing during API calls.

Dashboards to monitor API rate usage

Dashboards to monitor API rate usage

This allows you to schedule and fine-tune your API usage, know when you are exceeding your rate limit, or plan ahead so as to not be caught off guard. And more importantly, you could throttle back to lower costs if you discover you are under-utilizing your API rate limit quotas. 

Additional features in this release include HTTPS support for your Git content repository, more granular control over content entities to be pushed or excluded from production, role-based access control (RBAC) for API key creations, integration fetch history for easier troubleshooting, and more. You can get more details on these features in our Cortex XSOAR Release Notes

We hope that these features will help you take better advantage of all the automation use cases available to you in the Marketplace, to automate as many tasks as possible, and free your security analysts to focus on what really matters. 

If you are interested in test driving Cortex XSOAR, do download our free Community Edition