XSOAR 8 Cloud Content Performance Analysis

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
No ratings

By Randy Uhrlaub, Customer Success Architect

 

Table Of Content

 

 

Review Data

 

XSOAR has several areas in the console that provide insight into performance of the configuration and content. Review these and the associated dashboards to identify areas to investigate performance.  Are there excessive integration commands or is there a playbook or automation used extensively consuming significant resources?

 

Settings and Info

 

Guardrails

 

In XSOAR 8.8 Cloud and On-Premise, the Guard Rails page at Settings & Info > Settings > Guardrails provides a list of thresholds and warnings that occur during incident ingestion, investigation, and response. It helps to keep your environment stable and prevent actions that can cause major performance degradation or instability. The list of service limit errors and warnings is regularly updated to support ongoing changes in your environment.

 

System Diagnostics

 

With XSOAR 8.8 On-Premise, Settings & Info > Settings > System Diagnostics provides insight into resource consumption on a per-node basis.

 

 

unnamed.jpg

Figure 01:  On-Premise System Diagnostics_PaloAltoNetworks

 

Integrations

 

  • Are integration instance queries optimized to fetch only needed alerts for incidents and are the sampling frequency reasonable?

  • Are threat feed instances configured to return only required indicators and are the sampling frequency reasonable?

 

Dashboards

 

Cost Optimization Instances

  • Top Executed Commands

 

Troubleshooting Instances

  • Average runtime per Instance by Command (top 5)

  • Average runtime per Instance (top 5)

 

Incidents

 

The main drivers of performance are:

  • Large work plans (> 3 MB) which scales based on the number of tasks and size of task inputs and outputs

  • Large context > 1 MB

  • Adding entries/artifacts to the war room - scales with the number of tasks and quiet mode setting for each task

  • Indicator extraction and enrichment - scales with N indicators times M threat feed instances supporting the common enrichment commands (ip, domain, …) and feed instance configured to be used by default

 

Best practices:

  • Use latest playbook and script versions

  • Break up large playbooks into sub-playbooks

  • Remove unused playbook tasks

  • Set the playbook to run in quiet mode

  • Only extract indicators when needed

  • Minimize disk usage, CPU usage, and API calls

 

The following automation is used to investigate incident size:

  • IncidentSizeX8 (for XSOAR 8 )

 

 

unnamed.jpg

Figure 02:  Incident Size_PaloAltoNetworks

 

To look at big work plan objects at the task level, the following command is used: 

  • !getInvPlaybookMetaData incidentId="<incident ID>" minSize="<min size to return>"

 

unnamed.jpg

Figure 03:  PlaybookMetaData_PaloAltoNetworks

 

SLAs can be defined to specify time requirements for workflows such as “time to remediation” and alert when an SLA is breached. Dashboards can be used to monitor SLAs and improvement over time.

 

Dashboards

 

Cost Optimization Playbooks

  • Average runtime per Playbook (top 5)

  • Average runtime by  Incident Type per Playbook  (top 5)

 

XSOAR Value Metrics 

  • Average Incident Duration

  • Average SLA

 

CISO Metrics

  • Average Duration by Incident Type

 

Automation Performance Analysis

 

Automations are profiled using the Simple Debugger content pack to identify hot spots for potential optimization.  Use the profilequiet, and nolog inputs during performance analysis to minimize debugger overhead. 

 

Dashboards are used to assist identification of automations for analysis.  Playbook performance analysis may also identify automations for further investigation.

 

 

unnamed.jpg

Figure 04:  Simple Debugger_PaloAltoNetworks

 

Dashboards

 

Troubleshooting Instances

 

  • Average runtime per Automation(top 5)

 

Playbook Performance Analysis

 

The Content Testing content pack contains a playbook analyzer tool that computes minimum, average, and maximum task durations in a specific playbook or sub-playbooks invoked in incidents covering a specified time window.  Hot spot tasks are clearly identified.

 

Baselining task durations in critical playbooks or sub-playbooks prior to optimization efforts allows assessing the performance impact of changes. 

 

 

unnamed.jpg

Figure 05:  Playbook Performance Analysis_PaloAltoNetworks


Resources

 

Best Practices

Guardrails

Indicator Extraction:

 

Content Packs

 

Common Dashboards

Community Common Dashboards

Content Testing

Simple Debugger

 

Automations

 

  • IncidentSizeX8 (custom)

  • getInvPlaybookMetaData (standard)

 
 
Rate this article: