The Cortex XSOAR license type determines which components users can use and how many users can access the tenant.
Cortex XSOAR requires a yearly license per user. Multi-year licenses are available.
License Usage
This table describes the types of Cortex XSOAR licenses which are used in the following circumstances:
Version | Usage | License |
|---|---|---|
Cortex XSOAR (Enterprise) Edition | Built for customers who need a complete security automation solution. | Includes the SOAR Enterprise and TIM Enterprise licenses. |
Cortex XSOAR Threat Intel Management Edition | Built for Threat Intelligence and security Operations teams who need threat intelligence-based automation. | Includes the TIM Enterprise license only. |
Cortex XSOAR Starter Edition | Built for Security Operations and Incident Response customers who need case management with collaboration and playbook-driven automation. | Includes the SOAR Enterprise license only. |
License Quota
The following table describes the license quotas of each version in Cortex XSOAR.
XSOAR TIM (TIM only) | XSOAR Starter Edition (SOAR only) | XSOAR (SOAR + TIM) | |
|---|---|---|---|
Integrations | Unlimited | Unlimited | Unlimited |
Incident Management | 30-day history | 180-day history* | 180-day history* |
Incident Triggered Automations | 166 daily | Unlimited | Unlimited |
Job Triggered Automations | Unlimited | Unlimited | Unlimited |
Intel Feeds | Unlimited | 5 active feeds, 100 indicators/fetch | Unlimited |
Threat Intel Library | Unlimited | Intelligence detail view and relationship data are not included | Unlimited |
Unit 42 Intelligence | Unlimited UI access, 5k/day API points | Not included | Unlimited UI access, 5k/day API points |
Note
*You can extend incident retention by purchasing an add-on. For more information, see Data Retention Policy.
Intel feed quotas are based on the selected Fetches Indicators field in the integration instance settings, not the enabled status. Disabling an integration instance does not affect the Intel feed quota. For example, if the AWS Feed is enabled and is fetching indicators and you don't want to include this in your quota, open the integration settings and clear the Fetches Indicators checkbox.
Multi-Tenant Licenses
XSOAR TIM, XSOAR Starter Edition, and XSOAR are all available for multi-tenant deployments, with a multi-tenant license. Cortex XSOAR multi-tenant deployments are designed for MSSPs (managed security service providers) and enterprises that require strict data segregation, but also need the flexibility to share and manage critical security practices across tenant accounts.
Note
Multi-tenant licenses include one child tenant, by default.
Cortex XSOAR Users
For license purposes Cortex XSOAR includes the following users:
Audit users
Audit users have read-only permission so they do not have the ability to edit system components and data or run commands, scripts, and playbooks. Audit users can view incidents, dashboards, and reports. This should be used for example, by SOC managers who do not need to investigate incidents, change data, etc.
Full users
Full users have full read-write permission in Cortex XSOAR, so that they have the ability to view and edit system components and data. They can investigate incidents, run scripts and playbooks, chat in the War Room, etc.
For more information about roles, see Users and Roles Management.
Note
For users to be counted in your license, they need to be assigned to the Cortex XSOAR tenant either through the Cortex Gateway/Cortex XSOAR tenant, or in the Cortex XSOAR tenant using SSO.
Users who have been assigned to the Cortex XSOAR tenant need to either be granted access to the tenant or be assigned a role or a user group role in the Cortex Gateway or tenant.