End-of-Life (EoL)

Cortex XSOAR Telemetry

Cortex XSOAR uses telemetry to collect specific usage data. This data is analyzed and used to improve Cortex XSOAR, and to identify common usage to help drive the product roadmap.
By default, telemetry is enabled. It is recommended that you do not disable telemetry.
To disable telemetry, go to

Data Usage Collection

Cortex XSOAR Component
Data Collected
All custom playbooks, excluding encrypted playbook inputs and script arguments. The number of times each playbook was run.
All custom automation scripts in the system, excluding passwords and arguments defined as "secret".
All custom layouts and the incident fields being used.
All custom mapping and classification configurations.
Metadata for all custom integrations. The integration script is not collected.
Integration instances
Metadata for all integration instances, such as the instance name, brand, and category. Private information, such as credentials, is not collected.
Command Usage
The number of times each command is run.
Most-used commands
The command names of the most-used commands, per incident type.
Custom Fields
All custom fields, including incident fields, indicator fields, and evidence fields.
Incident Types
All custom incident types and corresponding data, such as associated playbook.
Metadata for all incidents, including the number of incidents per incident type, the amount of time each incident stage took to resolve.
Incident Metadata
The number of incidents for each incident type, the average time of each stage.
Incident Actions
Incident creation, incident updates, whether the incident owner suggestion assignment was used, file linkage, files uploaded to the War Room.
Incident Cluster Usage
Modifications to the similarity filter, changes to the time frame.
Custom Indicators
All custom indicator types and corresponding data, such as type and related incidents.
Indicator Reputations
All indicator types, including name, regex, reputation command, and reputation script.
The number of times each playbook is run, playbook updates, playbook deletions.
Created jobs, updated jobs.
All custom widgets.
All custom dashboards.
Metadata for all scheduled reports, including name, schedule time, tags, and paper information.
Pre-Process Rules
All pre-processing rules.
Exclusion List
A summary of exclusion list rules, and exclusion count per indicator type.
All user metadata. Sensitive user data is hashed, for example, user name, email address, and phone number.
All roles.
License information.
The total number of canvases and the number of nodes and connections for each canvas.
Cortex XSOAR version and content version.
The pages of Cortex XSOAR that are accessed.
User Actions
User updates, logins, updated credentials, login method, color theme.
Update/delete: incident types, reputation (indicator types), Cortex XSOAR lists
Help Search
When the search is accessed, the search query.
Create/update/delete evidence.
Create/update/delete layouts.

Runtime Data Usage Collection

This data is collected every 5 minutes.
Cortex XSOAR Component
Data Collected
New Incident
Incident source, incident type, playbook name, and playbook ID.
Playbook Run
Incident source, incident type, playbook name, playbook ID, and is sub-playbook (whether it is a sub-playbook.
Command Run
Incident source, incident type, command, integration brand, trigger method (manual/automatic).
Incident Close
Incident source, incident type, open duration, and timer fields and values.
Manual Task Start
Task type, incident type, playbook name, playbook ID, and task name.
Manual Task Completion
Task type, incident type, playbook name, playbook ID, and task name.
To-Do Task
The total number of To-Do tasks. Whether the DBot suggested was selected.

Recommended For You