Telemetry - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-02-14
Last date published
2024-05-30
Category
Administrator Guide
Solution
Cloud
Abstract

Cortex XSOAR uses telemetry to collect specific usage data. The data is analyzed and used to improve Cortex XSOAR.

Cortex XSOAR uses telemetry to collect specific usage data. This data is analyzed and used to improve Cortex XSOAR, and to identify common usage to help drive the product roadmap.

Data Usage Collection

Cortex XSOAR Component

Data Collected

Playbooks

All custom playbooks, excluding encrypted playbook inputs and script arguments. The number of times each playbook is run, playbook updates, playbook deletions.

Scripts

All custom scripts in the system, excluding passwords and arguments defined as "secret".

Layouts

All custom layouts and the incident fields being used.

Classifiers

All custom mapping and classification configurations.

Integrations

Metadata for all custom integrations. The integration script is not collected.

Integration instances

Metadata for all integration instances, such as the instance name, brand, and category. Private information, such as credentials, is not collected.

Command Usage

The number of times each command is run.

Most-used commands

The command names of the most-used commands, per incident type.

Custom Fields

All custom fields, including incident fields, indicator fields, and evidence fields.

Incident Types

All custom incident types and corresponding data, such as associated playbook.

Incidents

Metadata for all incidents, including the number of incidents per incident type, the amount of time each incident stage took to resolve.

Incident Metadata

The number of incidents for each incident type, the average time of each stage.

Incident Actions

Incident creation, incident updates, whether the incident owner suggestion assignment was used, file linkage, metadata of files uploaded to the War Room.

Incident Cluster Usage

Modifications to the similarity filter, changes to the time frame.

Custom Indicators

All custom indicator types and corresponding data, such as type and related incidents.

Indicator Verdicts

All indicator types, including name, regex, reputation command, and reputation script.

Jobs

Created jobs, updated jobs.

Widgets

All custom widgets.

Dashboard

All custom dashboards.

Reports

Metadata for all scheduled reports, including name, schedule time, tags, and paper information.

Pre-Process Rules

All pre-processing rules.

Exclusion List

A summary of exclusion list rules, and exclusion count per indicator type.

Users

All user metadata. Sensitive user data is hashed, for example, user name, email address, and phone number.

Roles

All roles.

Licenses

License information.

Version

Cortex XSOAR version and content version.

Pages

The pages of Cortex XSOAR that are accessed.

User Actions

User updates, logins, updated credentials, login method, color theme.

Settings

Update/delete: incident types, verdict (indicator types), Cortex XSOAR lists.

Help Search

When the search is accessed, the search query.

Evidence

Create/update/delete evidence.

Layouts

Create/update/delete layouts.

Marketplace

Installed and removed packs, marketplace searches.

Runtime Data Usage Collection

This data is collected every 5 minutes.

Cortex XSOAR Component

Data Collected

New Incident

Incident source, incident type, playbook name, and playbook ID.

Playbook Run

Incident source, incident type, playbook name, playbook ID, and is sub-playbook (whether it is a sub-playbook).

Command Run

Incident source, incident type, command, integration brand, trigger method (manual/automatic).

Incident Close

Incident source, incident type, open duration, and timer fields and values.

Manual Task Start

Task type, incident type, playbook name, playbook ID, and task name.

Manual Task Completion

Task type, incident type, playbook name, playbook ID, and task name.

To-Do Task

The total number of To-Do tasks. Whether the DBot suggestion was selected.