Understand Cortex XSOAR licenses - Threat Intel Management Guide - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2025-01-15
Category
Administrator Guide
Solution
Cloud
Abstract

The Cortex XSOAR license is downloaded from Cortex Gateway and determines which components users can use and how many users can access the tenant.

Cortex XSOAR requires a yearly license per user. Multi-year licenses are available.

License usage

This table describes the types of Cortex XSOAR licenses which are used in the following circumstances:

Version

Usage

License

Cortex XSOAR (Enterprise) Edition

Built for customers who need a complete security automation solution.

Includes the SOAR Enterprise and TIM Enterprise licenses.

Cortex XSOAR Threat Intel Management Edition

Built for Threat Intelligence and Security Operations teams who need threat intelligence-based automation.

Includes the TIM Enterprise license only.

Cortex XSOAR Starter Edition

Built for Security Operations and Incident Response customers who need case management with collaboration and playbook-driven automation.

Includes the SOAR Enterprise license only.

Multi-Tenant

Cortex XSOAR Enterprise, Threat Intel Management, and the Starter editions are all available for multi-tenant deployments, with a multi-tenant license. Cortex XSOAR multi-tenant deployments are designed for MSSPs (managed security service providers) and enterprises that require strict data segregation but also need the flexibility to share and manage critical security practices across tenant accounts.

If you have a multi-tenant license (for example PAN-DEMISTO-MSSP), you are entitled to a main and child tenant. If you require additional child tenants you need additional licenses.

Development/Production tenants

In Cortex XSOAR you can use a content management system with a remote repository to develop and test content. If want a development tenant, you will require a development tenant license.

License quota

The following table describes the license quotas of each version in Cortex XSOAR.

XSOAR TIM (TIM only)

XSOAR Starter Edition (SOAR only)

XSOAR (SOAR + TIM)

Integrations

Unlimited

Unlimited

Unlimited

Incident Management

30-day history

180-day history*

180-day history*

Incident Triggered Automations

166 daily

Unlimited

Unlimited

Job Triggered Automations

Unlimited

Unlimited

Unlimited

Intel Feeds

Unlimited

5 active feeds, 100 indicators/fetch

Unlimited

Threat Intel Library

Unlimited

Intelligence detail view and relationship data are not included

Unlimited

Unit 42 Intelligence

Unlimited UI access, 5k/day API points

Not included

Unlimited UI access, 5k/day API points

Note

*You can extend incident retention by purchasing an add-on. For more information, see Data retention policy.

Intel feed quotas are based on the selected Fetches Indicators field in the integration instance settings, not the enabled status. Disabling an integration instance does not affect the Intel feed quota. For example, if the AWS Feed is enabled and is fetching indicators and you don't want to include this in your quota, open the integration settings and clear the Fetches Indicators checkbox.

Cortex XSOAR users

Cortex XSOAR has the following users:

Audit user

Audit users have read-only permission in Cortex XSOAR, meaning they cannot edit system components and data or run commands, scripts, and playbooks. Audit users can view incidents, dashboards, and reports.

Full user

Full users have read-write permission in Cortex XSOAR, meaning they can view and edit system components and data. They can investigate incidents, run scripts and playbooks, chat in the War Room, and more. Full users’ access to Cortex XSOAR is determined by their assigned role.