Cortex XSOAR uses telemetry to collect specific usage data. The data is analyzed and used to improve Cortex XSOAR.
Cortex XSOAR uses telemetry to collect specific usage data. This data is analyzed and used to improve Cortex XSOAR, and to identify common usage to help drive the product roadmap.
Data Usage Collection
Cortex XSOAR Component | Data Collected |
---|---|
Playbooks | All custom playbooks, excluding encrypted playbook inputs and script arguments. The number of times each playbook is run, playbook updates, playbook deletions. |
Scripts | All custom scripts in the system, excluding passwords and arguments defined as "secret". |
Layouts | All custom layouts and the incident fields being used. |
Classifiers | All custom mapping and classification configurations. |
Integrations | Metadata for all custom integrations. The integration script is not collected. |
Integration instances | Metadata for all integration instances, such as the instance name, brand, and category. Private information, such as credentials, is not collected. |
Command Usage | The number of times each command is run. |
Most-used commands | The command names of the most-used commands, per incident type. |
Custom Fields | All custom fields, including incident fields, indicator fields, and evidence fields. |
Incident Types | All custom incident types and corresponding data, such as associated playbook. |
Incidents | Metadata for all incidents, including the number of incidents per incident type, the amount of time each incident stage took to resolve. |
Incident Metadata | The number of incidents for each incident type, the average time of each stage. |
Incident Actions | Incident creation, incident updates, whether the incident owner suggestion assignment was used, file linkage, metadata of files uploaded to the War Room. |
Incident Cluster Usage | Modifications to the similarity filter, changes to the time frame. |
Custom Indicators | All custom indicator types and corresponding data, such as type and related incidents. |
Indicator Verdicts | All indicator types, including name, regex, reputation command, and reputation script. |
Jobs | Created jobs, updated jobs. |
Widgets | All custom widgets. |
Dashboard | All custom dashboards. |
Reports | Metadata for all scheduled reports, including name, schedule time, tags, and paper information. |
Pre-Process Rules | All pre-processing rules. |
Exclusion List | A summary of exclusion list rules, and exclusion count per indicator type. |
Users | All user metadata. Sensitive user data is hashed, for example, user name, email address, and phone number. |
Roles | All roles. |
Licenses | License information. |
Version | Cortex XSOAR version and content version. |
Pages | The pages of Cortex XSOAR that are accessed. |
User Actions | User updates, logins, updated credentials, login method, color theme. |
Settings | Update/delete: incident types, verdict (indicator types), Cortex XSOAR lists. |
Help Search | When the search is accessed, the search query. |
Evidence | Create/update/delete evidence. |
Layouts | Create/update/delete layouts. |
Marketplace | Installed and removed packs, marketplace searches. |
Runtime Data Usage Collection
This data is collected every 5 minutes.
Cortex XSOAR Component | Data Collected |
---|---|
New Incident | Incident source, incident type, playbook name, and playbook ID. |
Playbook Run | Incident source, incident type, playbook name, playbook ID, and is sub-playbook (whether it is a sub-playbook). |
Command Run | Incident source, incident type, command, integration brand, trigger method (manual/automatic). |
Incident Close | Incident source, incident type, open duration, and timer fields and values. |
Manual Task Start | Task type, incident type, playbook name, playbook ID, and task name. |
Manual Task Completion | Task type, incident type, playbook name, playbook ID, and task name. |
To-Do Task | The total number of To-Do tasks. Whether the DBot suggestion was selected. |