Rate Limits
In order to protect the Cisco XDR infrastructure, there are rate limits to API requests which apply to all API Clients within a single organization. The current limit is 8000 requests per hour. This is calculated as a rolling 60 minute window, not coordinated with clock time. This also means that other users in your organization are sharing the same pool of requests that you are using — one runaway script or integration can impact other users in your organization.
When you make a request, the X-Ratelimit-Org-Limit header will tell you the rate limit being applied. This does not change as you make requests, but is the fixed value per hour for all requests from your organization.
Example Successful Response with rate limit header:
HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
Date: Wed, 31 Oct 2018 14:05:30 GMT
Server: Jetty(9.4.z-SNAPSHOT)
Strict-Transport-Security: max-age=31536000; includeSubdomains
Vary: Accept-Encoding, User-Agent
X-Ctim-Version: 1.0.6
X-Iroh-Config: b9b3477528d9616ed85221f2827bf1da443e8f00
X-Iroh-Version: 70323eb3b72da558e7f056e418533402f65d335a
X-Ratelimit-Org-Limit: 8000
If you go over your rate limit, you will get a 429 Too Many Requests response code. The response will also have a Retry-After header, which tells you how many seconds you need to wait before you can make another request.
Example Rate Limited:
HTTP/1.1 429 Too Many Requests
Content-Length: 30
Content-Type: application/json
Date: Wed, 31 Oct 2018 14:05:30 GMT
Retry-After: 3557
Server: Jetty(9.4.z-SNAPSHOT)
Strict-Transport-Security: max-age=31536000; includeSubdomains
X-Ctim-Version: 1.0.6
X-Iroh-Config: b9b3477528d9616ed85221f2827bf1da443e8f00
X-Iroh-Version: 70323eb3b72da558e7f056e418533402f65d335a
Automation API Rate Limits
The Automation APIs and Automation workflows are slightly different from other Cisco XDR APIs. The Automation API limits apply to all users within a single organization. The limits may vary for certain services, but the defaults are:
- All Automation APIs (except Workflow Run): 8000 calls/hour
- Workflow Run API: 10 calls/minute (
/v1.1/workflows/startand/v1.1/ui/workflows/start) - Event-based Automation Rules (Email, Webhook, Incident, Task): 10 events/minute and 5000 events/day
- Schedule-based Automation Rules: 10000 runs/day
For the Cisco XDR help documentation on this, please review the Workflow Notes and Limits and the Automation Rules Thresholds and Limits sections.
The number of requests are tracked and this is measured based on authorized, unauthorized, and unauthenticated requests.
- Anonymous requests with no token: returns
403 Forbidden - API Requests with bad token: returns
401 Unauthorized - API Requests with expired token: returns
401 Unauthorized, but is measured against the organization limit - API requests with valid token header: measured against the organization limit
When you make a request, the headers x-ratelimit-org-limit and x-ratelimit-org-remaining will provide you with information about the rate limit that is being applied. An example of a successful response that includes the rate limit header is shown below:
HTTP/2 200
content-type: application/json
x-csco-trxid: e4737fe2
date: Fri, 17 Feb 2023 19:07:06 GMT
content-length: 503
x-envoy-upstream-service-time: 65
server: istio-envoy
x-ratelimit-org-limit: 8000
x-ratelimit-org-remaining: 6500
Handling 429 Errors
When your request hits an API rate limit, the Automation API gateway returns a 429 Too Many Requests response. The response includes a Retry-After header indicating how long your application must wait before making another request to the same endpoint. For example, the following is an example 429 response indicating that the application should wait 3172 seconds before retrying the request.
HTTP/2 429 Too Many Requests
retry-after: 3172s
content-length: 53
content-type: text/plain
x-ratelimit-org-limit: 8000
x-Ratelimit-Org-Remaining: 0