- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
By Randy Uhrlaub, Customer Success Architect
Table Of Content
XSOAR has several areas in the console that provide insight into performance of the configuration and content. Review these and the associated dashboards to identify areas to investigate performance. Are there excessive integration commands or is there a playbook or automation used extensively consuming significant resources?
In XSOAR 8.8 Cloud and On-Premise, the Guard Rails page at Settings & Info > Settings > Guardrails provides a list of thresholds and warnings that occur during incident ingestion, investigation, and response. It helps to keep your environment stable and prevent actions that can cause major performance degradation or instability. The list of service limit errors and warnings is regularly updated to support ongoing changes in your environment.
With XSOAR 8.8 On-Premise, Settings & Info > Settings > System Diagnostics provides insight into resource consumption on a per-node basis.
Figure 01: On-Premise System Diagnostics_
Are integration instance queries optimized to fetch only needed alerts for incidents and are the sampling frequency reasonable?
Are threat feed instances configured to return only required indicators and are the sampling frequency reasonable?
Cost Optimization Instances
Top Executed Commands
Troubleshooting Instances
Average runtime per Instance by Command (top 5)
Average runtime per Instance (top 5)
The main drivers of performance are:
Large work plans (> 3 MB) which scales based on the number of tasks and size of task inputs and outputs
Large context > 1 MB
Adding entries/artifacts to the war room - scales with the number of tasks and quiet mode setting for each task
Indicator extraction and enrichment - scales with N indicators times M threat feed instances supporting the common enrichment commands (ip, domain, …) and feed instance configured to be used by default
Best practices:
Use latest playbook and script versions
Break up large playbooks into sub-playbooks
Remove unused playbook tasks
Set the playbook to run in quiet mode
Only extract indicators when needed
Minimize disk usage, CPU usage, and API calls
The following automation is used to investigate incident size:
IncidentSizeX8 (for XSOAR 8 )
Figure 02: Incident Size_PaloAltoNetworks
To look at big work plan objects at the task level, the following command is used:
!getInvPlaybookMetaData incidentId="<incident ID>" minSize="<min size to return>"
Figure 03: PlaybookMetaData_
SLAs can be defined to specify time requirements for workflows such as “time to remediation” and alert when an SLA is breached. Dashboards can be used to monitor SLAs and improvement over time.
Cost Optimization Playbooks
Average runtime per Playbook (top 5)
Average runtime by Incident Type per Playbook (top 5)
XSOAR Value Metrics
Average Incident Duration
Average SLA
CISO Metrics
Average Duration by Incident Type
Automations are profiled using the Simple Debugger content pack to identify hot spots for potential optimization. Use the profile, quiet, and nolog inputs during performance analysis to minimize debugger overhead.
Dashboards are used to assist identification of automations for analysis. Playbook performance analysis may also identify automations for further investigation.
Figure 04: Simple Debugger_
Troubleshooting Instances
Average runtime per Automation(top 5)
The Content Testing content pack contains a playbook analyzer tool that computes minimum, average, and maximum task durations in a specific playbook or sub-playbooks invoked in incidents covering a specified time window. Hot spot tasks are clearly identified.
Baselining task durations in critical playbooks or sub-playbooks prior to optimization efforts allows assessing the performance impact of changes.
Figure 05: Playbook Performance Analysis_
Best Practices
Guardrails
Indicator Extraction:
Content Packs
Common Dashboards
Community Common Dashboards
Content Testing
Simple Debugger
Automations
IncidentSizeX8 (custom)
getInvPlaybookMetaData (standard)