Service Limits - Hosted Service Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Hosted Service Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-05
Last date published
2023-07-17
End_of_Life
EoL
Category
Hosted Service Guide

Cortex XSOAR Hosted Service supports BoltDB and Elasticsearch. The hosted environment consists of two servers - production and development. The development server allows you to develop and test components (such as playbooks, automation scripts, screen layouts) before they are deployed to production.

Note

Elasticsearch is available for customers with a TIM license. Elasticsearch provides six node clusters, including three for master/coordinating nodes and three for data nodes. The same cluster configuration is provided for development and production environments. Elasticsearch deployments are limited to one app server.

The Cortex XSOAR hosted service production environment supports:

BoltDB (base scale)

BoltDB (higher scale)

Elasticsearch

Incidents per day

5,000

Rate limit of 100 incidents ingested per minute

10,000

Rate limit of 100 incidents ingested per minute

10,000

Rate limit of 100 incidents ingested per minute

Total indicators stored

3,000,000

3,000,000

100,000,000

Partition data per month

20 GB

Data retention

1 TB. For the average customer, 1 TB provides one year of data retention.

Custom rules

Up to 100 custom rules limiting inbound traffic to the web interface/API interface to specific CIDRs. Of the 100 CIDRS, up to 80 can be dedicated for restricting access to the API interface

The Cortex XSOAR hosted service development environment supports:

BoltDB (base scale)

BoltDB (higher scale)

Elasticsearch

Incidents per day

1,000

Rate limit of 100 incidents ingested per minute

2,000

Rate limit of 100 incidents ingested per minute

5,000

Rate limit of 100 incidents ingested per minute

Total indicators stored

500,000

500,000

10,000,000

Partition data per month

10 GB

Data retention

1 year

Custom rules

Up to 100 custom rules limiting inbound traffic to the web interface/API interface to specific CIDRs. Of the 100 CIDRS, up to 80 can be dedicated for restricting access to the API interface

Note

The development server has different technical specifications and should not be used for a production environment or stress testing.

You can view the percentage used for incoming incidents, stored indicators, and partition data, on the System Diagnostics page. If the percentage used reaches 75% for incoming incidents, stored indicators, or partition data, an email alert is sent to all site administrators and a warning message is displayed on the System Diagnostics page. In addition to the stated service limits above, any other alerts that appear on the Cortex XSOAR version 6.5 or later System Diagnostics page must also be addressed. Repeated alerts for big incidents, enrichment data, too many containers, etc. that cannot be resolved may result in a degradation of service.System Diagnostics