Service Limits

Hosted Service limits for incidents, indicators, storage, data retention, and CIDR rules
Cortex XSOAR Hosted Service supports BoltDB and Elasticsearch. The hosted environment consists of two servers - production and development. The development server allows you to develop and test components (such as playbooks, automation scripts, screen layouts) before they are deployed to production.
Elasticsearch is available for customers with a TIM license. Elasticsearch provides six node clusters, including three for master/coordinating nodes and three for data nodes. The same cluster configuration is provided for development and production environments. Elasticsearch deployments are limited to one app server.
The Cortex XSOAR hosted service production environment supports:
BoltDB (base scale)
BoltDB (higher scale)
Elasticsearch
Incidents per day
5,000
Rate limit of 100 incidents ingested per minute
10,000
Rate limit of 100 incidents ingested per minute
10,000
Rate limit of 100 incidents ingested per minute
Total indicators stored
3,000,000
3,000,000
100,000,000
Partition data per month
20 GB
Data retention
1 TB. For the average customer, 1 TB provides one year of data retention.
Custom rules
Up to 100 custom rules limiting inbound traffic to the web interface/API interface to specific CIDRs. Of the 100 CIDRS, up to 80 can be dedicated for restricting access to the API interface
The Cortex XSOAR hosted service development environment supports:
BoltDB (base scale)
BoltDB (higher scale)
Elasticsearch
Incidents per day
1,000
Rate limit of 100 incidents ingested per minute
2,000
Rate limit of 100 incidents ingested per minute
5,000
Rate limit of 100 incidents ingested per minute
Total indicators stored
500,000
500,000
10,000,000
Partition data per month
10 GB
Data retention
1 year
Custom rules
Up to 100 custom rules limiting inbound traffic to the web interface/API interface to specific CIDRs. Of the 100 CIDRS, up to 80 can be dedicated for restricting access to the API interface
The development server has different technical specifications and should not be used for a production environment or stress testing.
You can view the percentage used for incoming incidents, stored indicators, and partition data, on the System Diagnostics page. If the percentage used reaches 75% for incoming incidents, stored indicators, or partition data, an email alert is sent to all site administrators and a warning message is displayed on the System Diagnostics page. In addition to the stated service limits above, any other alerts that appear on the Cortex XSOAR version 6.5 or later System Diagnostics page must also be addressed. Repeated alerts for big incidents, enrichment data, too many containers, etc. that cannot be resolved may result in a degradation of service.

Recommended For You