End-of-Life (EoL)
Cortex XSOAR Telemetry
troubleshooting
Cortex XSOAR uses telemetry to collect
specific usage data. This data is analyzed and used to improve Cortex
XSOAR, and to identify common usage to help drive the product roadmap.
By default, telemetry is enabled. It is recommended
that you do not disable telemetry.
To disable telemetry, go to .
Settings
About
Troubleshooting
Telemetry
Data Usage Collection
Cortex XSOAR Component | Data Collected |
---|---|
Playbooks | All custom playbooks, excluding encrypted playbook
inputs and script arguments. The number of times each playbook was
run. |
Automations | All custom automation scripts in the system,
excluding passwords and arguments defined as "secret". |
Layouts | All custom layouts and the incident fields
being used. |
Classifiers | All custom mapping and classification configurations. |
Integrations | Metadata for all custom integrations. The integration
script is not collected. |
Integration instances | Metadata for all integration instances, such
as the instance name, brand, and category. Private information,
such as credentials, is not collected. |
Command Usage | The number of times each command is run. |
Most-used commands | The command names of the most-used commands,
per incident type. |
Custom Fields | All custom fields, including incident fields,
indicator fields, and evidence fields. |
Incident Types | All custom incident types and corresponding
data, such as associated playbook. |
Incidents | Metadata for all incidents, including the number
of incidents per incident type, the amount of time each incident
stage took to resolve. |
Incident Metadata | The number of incidents for each incident type,
the average time of each stage. |
Incident Actions | Incident creation, incident updates, whether
the incident owner suggestion assignment was used, file linkage,
files uploaded to the War Room. |
Incident Cluster Usage | Modifications to the similarity filter, changes
to the time frame. |
Custom Indicators | All custom indicator types and corresponding
data, such as type and related incidents. |
Indicator Reputations | All indicator types, including name, regex,
reputation command, and reputation script. |
Playbooks | The number of times each playbook is run, playbook
updates, playbook deletions. |
Jobs | Created jobs, updated jobs. |
Widgets | All custom widgets. |
Dashboard | All custom dashboards. |
Reports | Metadata for all scheduled reports, including
name, schedule time, tags, and paper information. |
Pre-Process Rules | All pre-processing rules. |
Exclusion List | A summary of exclusion list rules, and exclusion
count per indicator type. |
Users | All user metadata. Sensitive user data is hashed,
for example, user name, email address, and phone number. |
Roles | All roles. |
Licenses | License information. |
Canvas | The total number of canvases and the number
of nodes and connections for each canvas. |
Version | Cortex XSOAR version and content version. |
Pages | The pages of Cortex XSOAR that are accessed. |
User Actions | User updates, logins, updated credentials,
login method, color theme. |
Settings | Update/delete: incident types, reputation (indicator
types), Cortex XSOAR lists |
Help Search | When the search is accessed, the search query. |
Evidence | Create/update/delete evidence. |
Layouts | Create/update/delete layouts. |
Runtime Data Usage Collection
This data is collected every 5 minutes.
Cortex XSOAR Component | Data Collected |
---|---|
New Incident | Incident source, incident type, playbook name,
and playbook ID. |
Playbook Run | Incident source, incident type, playbook name,
playbook ID, and is sub-playbook (whether it is a sub-playbook. |
Command Run | Incident source, incident type, command, integration
brand, trigger method (manual/automatic). |
Incident Close | Incident source, incident type, open duration,
and timer fields and values. |
Manual Task Start | Task type, incident type, playbook name, playbook
ID, and task name. |
Manual Task Completion | Task type, incident type, playbook name, playbook
ID, and task name. |
To-Do Task | The total number of To-Do tasks. Whether the
DBot suggested was selected. |
Recommended For You
Recommended Videos
Recommended videos not found.