Telemetry - Administrator Guide - 6.11 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.11
Creation date
2022-12-12
Last date published
2024-03-28
Category
Administrator Guide
Abstract

Cortex XSOAR uses telemetry to collect specific usage data. The data is analyzed and used to improve Cortex XSOAR. Disable or enable telemetry.

Cortex XSOAR uses telemetry to collect specific usage data. This data is analyzed and used to improve Cortex XSOAR, and to identify common usage to help drive the product roadmap.

By default, telemetry is enabled. It is recommended that you do not disable telemetry.

To disable telemetry, go to SettingsAboutTroubleshootingTelemetry.

Data Usage Collection

Cortex XSOAR Component

Data Collected

Playbooks

All custom playbooks, excluding encrypted playbook inputs and script arguments. The number of times each playbook was run.

Automations

All custom automation scripts in the system, excluding passwords and arguments defined as "secret".

Layouts

All custom layouts and the incident fields being used.

Classifiers

All custom mapping and classification configurations.

Integrations

Metadata for all custom integrations. The integration script is not collected.

Integration instances

Metadata for all integration instances, such as the instance name, brand, and category. Private information, such as credentials, is not collected.

Command Usage

The number of times each command is run.

Most-used commands

The command names of the most-used commands, per incident type.

Custom Fields

All custom fields, including incident fields, indicator fields, and evidence fields.

Incident Types

All custom incident types and corresponding data, such as associated playbook.

Incidents

Metadata for all incidents, including the number of incidents per incident type, the amount of time each incident stage took to resolve.

Incident Metadata

The number of incidents for each incident type, the average time of each stage.

Incident Actions

Incident creation, incident updates, whether the incident owner suggestion assignment was used, file linkage, metadata of files uploaded to the War Room.

Incident Cluster Usage

Modifications to the similarity filter, changes to the time frame.

Custom Indicators

All custom indicator types and corresponding data, such as type and related incidents.

Indicator Verdicts

All indicator types, including name, regex, reputation command, and reputation script.

Playbooks

The number of times each playbook is run, playbook updates, playbook deletions.

Jobs

Created jobs, updated jobs.

Widgets

All custom widgets.

Dashboard

All custom dashboards.

Reports

Metadata for all scheduled reports, including name, schedule time, tags, and paper information.

Pre-Process Rules

All pre-processing rules.

Exclusion List

A summary of exclusion list rules, and exclusion count per indicator type.

Users

All user metadata. Sensitive user data is hashed, for example, user name, email address, and phone number.

Roles

All roles.

Licenses

License information.

Canvas

The total number of canvases and the number of nodes and connections for each canvas.

Version

Cortex XSOAR version and content version.

Pages

The pages of Cortex XSOAR that are accessed.

User Actions

User updates, logins, updated credentials, login method, color theme.

Settings

Update/delete: incident types, verdict (indicator types), Cortex XSOAR lists.

Help Search

When the search is accessed, the search query.

Evidence

Create/update/delete evidence.

Layouts

Create/update/delete layouts.

Marketplace

Installed and removed packs, marketplace searches.

Runtime Data Usage Collection

This data is collected every 5 minutes.

Cortex XSOAR Component

Data Collected

New Incident

Incident source, incident type, playbook name, and playbook ID.

Playbook Run

Incident source, incident type, playbook name, playbook ID, and is sub-playbook (whether it is a sub-playbook).

Command Run

Incident source, incident type, command, integration brand, trigger method (manual/automatic).

Incident Close

Incident source, incident type, open duration, and timer fields and values.

Manual Task Start

Task type, incident type, playbook name, playbook ID, and task name.

Manual Task Completion

Task type, incident type, playbook name, playbook ID, and task name.

To-Do Task

The total number of To-Do tasks. Whether the DBot suggestion was selected.

Machine Learning Data Collection

The machine learning data collection only applies to email incidents.

Feature

Description

Attachments

Statistics regarding the counts and extensions of email attachments.

Characters

The number of times different characters appear in the email.

Headers

Authentication results - verification of the sender address using different headers.

HTML

The number of times different HTML tags appear in the email.

Lexical

Statistics regarding the length of the email and number of words it contains.

ML word embedding

Averaged embedding vector of the email.

Ngram

Appearance of terms associated with spam or malicious emails.

URL

Statistics regarding the amount, lengths, and popularity of URLs that appear in the email.