View service limit errors and warnings in the Guard Rails page - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-10-31
Category
Administrator Guide
Solution
On-prem
Abstract

Use the Cortex XSOAR Guard Rails page to see details about service limit errors or warnings.

The Cortex XSOAR Guard Rails page provides a list of usage limitation errors and warnings that occur during incident ingestion, investigation, and response. It helps to keep your environment stable and prevent actions that can cause major performance degradation or instability.

Cortex XSOAR has service rate limits for the number of incidents and indicators that can be ingested and stored. The Guard Rails page indicates when incident or indicator size exceeds predefined service limits and may affect performance.

Cortex XSOAR supports one or more tenants per customer: One for production, and one or more for development. The development tenant allows you to develop and test components (such as playbooks, automation scripts, and screen layouts) before they are deployed to production.

Indicator volume support differs between customers who own a TIM license and those who do not own a TIM license.

Production tenant service limits

Feature

Without a TIM license

With a TIM license

Incidents per day

10,000

Rate limit of 100 incidents ingested per minute

10,000

Rate limit of 100 incidents ingested per minute

Total indicators stored

3,000,000

100,000,000

Development tenant service limits

Feature

Without a TIM license

With a TIM license

Incidents per day

2000

Rate limit of 100 incidents ingested per minute

5000

Rate limit of 100 incidents ingested per minute

Total indicators stored

500,000

10,000,000

The development tenant has different technical specifications and should not be used for a production environment or stress testing.

Note

For multi-tenant deployments, the same service limits apply to each child tenant.

Cortex XSOAR Guard Rails page

The Cortex XSOAR Guard Rails page displays a table with a list of service limit errors and warnings and their details.

An error occurs when a service limit is exceeded. For example, an error can be generated for exceeding the size limit of an attachment or for exceeding the number of entries per incident.

A warning occurs when approaching the service limit. For example, a warning can be generated when the number of entries per incident is approaching the service limit or the number of linked incidents is approaching the service limit.

The service limits are defined out-of-the-box. Contact Cortex XSOAR support if you need to change the values for your service limits.

Access the Guard Rails page from Cortex XSOAR Settings & InfoSettingsSystem.

The table shows the following information:

  • ID: (by default hidden) The log number.

  • Timestamp: The date time the error or warning occurred.

  • Type: The object type the error or warning occurred on, for example incident or indicator.

  • Subtype: The object sub type (N/A if it doesn't exist), for example entries or attachments.

  • Severity: Whether the item is an error or a warning.

  • Object ID: The ID of the restricted object.

  • Count: The number of times a specific item occurred in the last calendar day.

  • Description: A short description of the error or warning.

Note

Identical messages generated within the same day are not duplicated in the table, only the Count is updated and the Timestamp shows the date time the error or warning occurred for the first time. A count greater than one indicates an identical error or warning occurred more than once within the same day.