Cortex XSOAR Telemetry

troubleshooting
Cortex XSOAR uses telemetry to collect specific usage data. This data is analyzed and used to improve Cortex XSOAR, and to identify common usage to help drive the product roadmap.
By default, telemetry is enabled. It is recommended that you do not disable telemetry.
To disable telemetry, go to
Settings
About
Troubleshooting
Telemetry
.

Data Usage Collection

Cortex XSOAR Component
Data Collected
Playbooks
All custom playbooks, excluding encrypted playbook inputs and script arguments. The number of times each playbook was run.
Automations
All custom automation scripts in the system, excluding passwords and arguments defined as "secret".
Layouts
All custom layouts and the incident fields being used.
Classifiers
All custom mapping and classification configurations.
Integrations
Metadata for all custom integrations. The integration script is not collected.
Integration instances
Metadata for all integration instances, such as the instance name, brand, and category. Private information, such as credentials, is not collected.
Command Usage
The number of times each command is run.
Most-used commands
The command names of the most-used commands, per incident type.
Custom Fields
All custom fields, including incident fields, indicator fields, and evidence fields.
Incident Types
All custom incident types and corresponding data, such as associated playbook.
Incidents
Metadata for all incidents, including the number of incidents per incident type, the amount of time each incident stage took to resolve.
Incident Metadata
The number of incidents for each incident type, the average time of each stage.
Incident Actions
Incident creation, incident updates, whether the incident owner suggestion assignment was used, file linkage, files uploaded to the War Room.
Incident Cluster Usage
Modifications to the similarity filter, changes to the time frame.
Custom Indicators
All custom indicator types and corresponding data, such as type and related incidents.
Indicator Reputations
All indicator types, including name, regex, reputation command, and reputation script.
Playbooks
The number of times each playbook is run, playbook updates, playbook deletions.
Jobs
Created jobs, updated jobs.
Widgets
All custom widgets.
Dashboard
All custom dashboards.
Reports
Metadata for all scheduled reports, including name, schedule time, tags, and paper information.
Pre-Process Rules
All pre-processing rules.
Exclusion List
A summary of exclusion list rules, and exclusion count per indicator type.
Users
All user metadata. Sensitive user data is hashed, for example, user name, email address, and phone number.
Roles
All roles.
Licenses
License information.
Canvas
The total number of canvases and the number of nodes and connections for each canvas.
Version
Cortex XSOAR version and content version.
Pages
The pages of Cortex XSOAR that are accessed.
User Actions
User updates, logins, updated credentials, login method, color theme.
Settings
Update/delete: incident types, reputation (indicator types), Cortex XSOAR lists
Help Search
When the search is accessed, the search query.
Evidence
Create/update/delete evidence.
Layouts
Create/update/delete layouts.

Runtime Data Usage Collection

This data is collected every 5 minutes.
Cortex XSOAR Component
Data Collected
New Incident
Incident source, incident type, playbook name, and playbook ID.
Playbook Run
Incident source, incident type, playbook name, playbook ID, and is sub-playbook (whether it is a sub-playbook.
Command Run
Incident source, incident type, command, integration brand, trigger method (manual/automatic).
Incident Close
Incident source, incident type, open duration, and timer fields and values.
Manual Task Start
Task type, incident type, playbook name, playbook ID, and task name.
Manual Task Completion
Task type, incident type, playbook name, playbook ID, and task name.
To-Do Task
The total number of To-Do tasks. Whether the DBot suggested was selected.

Recommended For You