Cortex XSOAR Hosted Service supports BoltDB and Elasticsearch. The hosted environment consists of two servers - production and development. The development server allows you to develop and test components (such as playbooks, automation scripts, screen layouts) before they are deployed to production.
Note
Elasticsearch is available for customers with a TIM license. Elasticsearch provides six node clusters, including three for master/coordinating nodes and three for data nodes. The same cluster configuration is provided for development and production environments. Elasticsearch deployments are limited to one app server.
The Cortex XSOAR hosted service production environment supports:
BoltDB (base scale) | BoltDB (higher scale) | Elasticsearch | |
---|---|---|---|
Incidents per day | 5,000 Rate limit of 100 incidents ingested per minute | 10,000 Rate limit of 100 incidents ingested per minute | 10,000 Rate limit of 100 incidents ingested per minute |
Total indicators stored | 3,000,000 | 3,000,000 | 100,000,000 |
Partition data per month | 20 GB | ||
Data retention | 1 TB. For the average customer, 1 TB provides one year of data retention. | ||
Custom rules | Up to 100 custom rules limiting inbound traffic to the web interface/API interface to specific CIDRs. Of the 100 CIDRS, up to 80 can be dedicated for restricting access to the API interface |
The Cortex XSOAR hosted service development environment supports:
BoltDB (base scale) | BoltDB (higher scale) | Elasticsearch | |
---|---|---|---|
Incidents per day | 1,000 Rate limit of 100 incidents ingested per minute | 2,000 Rate limit of 100 incidents ingested per minute | 5,000 Rate limit of 100 incidents ingested per minute |
Total indicators stored | 500,000 | 500,000 | 10,000,000 |
Partition data per month | 10 GB | ||
Data retention | 1 year | ||
Custom rules | Up to 100 custom rules limiting inbound traffic to the web interface/API interface to specific CIDRs. Of the 100 CIDRS, up to 80 can be dedicated for restricting access to the API interface |
Note
The development server has different technical specifications and should not be used for a production environment or stress testing.
You can view the percentage used for incoming incidents, stored indicators, and partition data, on the Fix System Diagnostics Issues.
→ → page. If the percentage used reaches 75% for incoming incidents, stored indicators, or partition data, an email alert is sent to all site administrators and a warning message is displayed on the System Diagnostics page. In addition to the stated service limits above, any other alerts that appear on the Cortex XSOAR version 6.5 or later System Diagnostics page must also be addressed. Repeated alerts for big incidents, enrichment data, too many containers, etc. that cannot be resolved may result in a degradation of service. For more information, see