Cortex XSOAR service limits - Describes the service limits for Cortex XSOAR cloud. - Administrator Guide - 8 - Cortex XSOAR - Cortex

Cortex XSOAR service limits - Describes the service limits for Cortex XSOAR cloud. - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product

Cortex XSOAR

Version

Creation date

2024-03-07

Last date published

2025-05-22

Category

Administrator Guide

Solution

Cloud

Abstract

Describes the service limits for Cortex XSOAR cloud.

Cortex XSOAR supports one or more tenants per customer: one for production, and one or more for development. The development tenant allows you to develop and test components (such as playbooks, automation scripts, and screen layouts) before they are deployed to production.

Indicator volume support differs between customers who own a TIM license and those who do not own a TIM license.

Cortex XSOAR production environment supports:

Feature	Without a TIM license	With a TIM license
Incidents per day	24,000 Note Up to 1000 an hour. If the number of incidents exceeds the limit, they will be placed in a queue, not dropped. These figures depend on the playbook design. If designed to run for hours and have many loops, the rate of ingestion may be significantly lower.	24,000 Note Up to 1000 an hour. If the number of incidents exceeds the limit, they will be placed in a queue, not dropped. These figures depend on the playbook design. If designed to run for hours and have many loops, the rate of ingestion may be significantly lower.
Total indicators stored	3,000,000	100,000,000
Incidents retention	6 months by default. For more information, see Retention FAQs.

Cortex XSOAR development environment supports:

Feature	Without a TIM license	With a TIM license
Incidents per day	2000 Note Up to 1000 an hour. If the number of incidents exceeds the limit, they will be placed in a queue, not dropped. These figures depend on the playbook design. If designed to run for hours and have many loops, the rate of ingestion may be significantly lower.	5000 Note Up to 1000 an hour. If the number of incidents exceeds the limit, they will be placed in a queue, not dropped. These figures depend on the playbook design. If designed to run for hours and have many loops, the rate of ingestion may be significantly lower.
Total indicators stored	500,000	10,000,000
Incidents retention	6 months by default. For more information, see Retention FAQs.

The development tenant has different technical specifications and should not be used for a production environment or stress testing.

Note

You need to comply with any Guard Rail Alerts. For more information, see View service limit errors and warnings on the Guard Rails page.
If you exceed the maximum number of incidents stored and ingested per day, you may experience slowness (if there are too many incidents being processed) and playbook executions and automations may be queued until there are sufficient resources available.
For multi-tenant deployments, the same service limits apply to each child tenant.
If you require a higher ingestion rate, contact Customer Support.