XSOAR 8 On-Premises Now Available!

Apr 15, 2024
5 minutes

We are pleased to announce the support for on-premises deployments for XSOAR 8. New customers of Cortex XSOAR 8 who require an on-premises deployment for policy or regulatory reasons can now take advantage of the latest features of Cortex XSOAR.

Cortex XSOAR on-premises is provided as a virtual appliance on your data centers that brings the advanced new platform and features of Cortex XSOAR 8 to customers who cannot use Cortex XSOAR 8 SaaS due to internal policies or external regulations. There is feature parity between our SaaS-based XSOAR 8 and XSOAR 8 for on-premises - with the exception of SaaS-specific functionality such as auto-scaling and built-in HA - bringing the SaaS experience to on-premises deployments with much easier deployment and upgrade flows and all third-party deployment and settings included within the virtual appliance.

Fig 1: Cortex XSOAR 8 On-Premises Architecture
Fig 1: Cortex XSOAR 8 On-Premises Architecture


NOTE: XSOAR 8 for on-premises deployments is for new customers. We will continue to support our valued on-premises customers and provide a migration path to on-premises XSOAR 8.

Notable highlights in XSOAR 8.6 include:

  • Better access management - these enhancements help you strengthen your security posture and better manage user and system access.
    • Multiple-role API key support - API keys can now be created with multiple roles and have aggregated permissions of the associated roles. This feature helps mitigate risks associated with key proliferation, reduces the potential for unauthorized access, and facilitates easier revocation as needed.
Fig 2: Multi-role API key support
Fig 2: Multi-role API key support


    • New endpoint for managing API keys - Cortex XSOAR now has an API endpoint for GET, CREATE, UPDATE, and DELETE for API keys. You can also delete API keys in bulk. This makes automating onboarding new child tenants or retrieving information on all existing API keys easier.
    • Enhanced RBAC for dashboards - You can now restrict access to specific dashboards for designated users via role assignment. This customized access control gives users a more focused view for efficient investigation and response. Controlling the selection of dashboards available to the user will reduce user confusion and help mitigate the impact on system performance.
Fig 3: Role-based access for dashboards
Fig 3: Role-based access for dashboards


    • New authentication controls - new authentication controls for additional security include:
      • Passwordless authentication - You now have the option to require non-password credentials for SSO authentication. If selected, this option requires users to choose intrinsically safer authentication factors, such as biometric authentication, to access Cortex XSOAR.
      • Force authentication - You now have the option to require users to reauthenticate to access the Cortex XSOAR tenant, even if they have already authenticated to access other applications.
  • Enhanced user experience - continuing on our theme of providing the optimum user experience in XSOAR 8, we are adding the following features:
    • Customizable favicon - Users often work on several Cortex XSOAR tenants within the same browser. To avoid confusion and to save time, you can now change the color of the favicon for each tenant. This allows you to identify which tenant is being used in each tab.
    • Add integration logs for non-python scripts and integrations - Integration logs now support non-Python scripts and integrations, enhancing troubleshooting capabilities for non-python content and implementation issues.


  • XSOAR Content Packs and Integrations (Mar 2024 to May 2024)
    • Cortex XDR - IOC integration - This update modifies the integration to populate a link to the corresponding indicator object in Cortex XSOAR.
    • Palo Alto Networks Cortex XDR - Investigation and Response - The integration update allows you to define close reasons for incidents mirrored between Cortex XSOAR and Cortex XDR.
    • Palo Alto Networks - PAN-OS integration - This integration update adds commands to list, create, modify, and delete security profile groups.
    • AIOps integration - This new integration provides updated commands interfacing with the AIOps API endpoints.
    • Azure Resource Graph integration - With this new integration, users can interface with the Azure Resource Graph API to query and enrich Azure resources from within Cortex XSOAR.
    • Alibaba Cloud Elastic Compute Service integration - Users can manage compute resources within Cortex XSOAR with this new integration.
    • CrowdStrike Falcon - Added support to pull mobile device detections and incidents directly from CrowdStrike into XSOAR for further investigation and response.
    • Malicious pod response playbooks - New playbooks designed to tackle malicious pod activity, featuring a master playbook and a sub-playbook for both agent and agentless environments. The playbooks automate the creation of a Lambda function, handle container registry and image verification, and integrate threat intelligence and image scanning.
    • QR code phishing investigation playbook - Attackers have increased usage of QR codes to camouflage malicious emails. This new functionality to automatically analyze embedded QR codes will enhance the investigation of phishing incidents and address this common attack vector.
    • Prisma Cloud Compute - Introducing a new playbook for compliance incidents, enhancing incident data with integration commands for comprehensive analyst review. Users get advanced features like resource-specific data retrieval, email compliance reports, and seamless ticket creation in relevant systems.
    • Slack V3 integration - The Slack integration has been updated to include the ability to mirror files uploaded in XSOAR incidents directly into corresponding Slack channels. This improves information sharing and collaboration between XSOAR analysts and incident responders.
    • XDR Large Upload playbook - This new playbook for Cortex XDR investigates incidents involving large uploads across protocols like SMTP, FTP, and HTTPS. It includes procedures such as searching for past false positives, enriching and investigating host and IP addresses, analyzing related indicators, blocking malicious indicators, and isolating endpoints.

Please see the Cortex XSOAR 8.6 release notes for a complete list of new features.

Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.