Data retention in Cortex XDR - Learn more about the default retention periods for all Cortex XDR licenses, and the available retention add-ons. - Administrator Guide - Cortex XDR - Cortex

Data retention in Cortex XDR - Learn more about the default retention periods for all Cortex XDR licenses, and the available retention add-ons. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 3.x Documentation

Product

Cortex XDR

License

Prevent

Pro

Creation date

2024-03-06

Last date published

2025-12-16

Default retention periods

The following table summarizes the default retention periods:

Data type	Cortex XDR Prevent	Cortex XDR per Endpoint Cortex XDR Cloud per Host	Cortex XDR per GB	Notes
Ingested data	N/A	31 days	31 days
Case and Issue data	186 days (min 200 endpoints) Option to purchase additional retention	186 days	186 days	Case and Issue data are retained according to the last Update and Creation dates, respectively. Data collected within these dates is kept and displayed for 186 days. To ensure the accuracy of Cases, Cortex XDR provides a grace period of up to 31 days for Issues displayed in the Cases View, Issues table, and Casualty View.
Forensic data	N/A	365 days	–	Requires Forensics add-on
Query data	186 days Option to purchase additional retention	186 days	186 days

Retention add-ons

To extend your storage, you can purchase one or more of the following retention add-ons:

Retention add-ons	Cortex XDR Prevent	Cortex XDR per Endpoint Cortex XDR Cloud per Host	Cortex XDR per GB
Additional 31-day hot storage of Case and Issue data	–	✓ per endpoint	✓ per GB
Period-based retention - hot storage Fully searchable storage for investigation and threat hunting of ingested data, and Case and Issue data.	–	✓ Available separately for the Cortex XDR per Endpoint or Cortex XDR per Endpoint with XTH data licenses. Prices are dependent on whether XTH data has been purchased. Requires purchasing a minimum of 1 month of the additional retention.	✓
Period-based retention - cold storage Lower cost storage of ingested data for long-term compliance needs with limited search options. Requires purchasing a minimum of 6 months of the additional retention.	–	✓ Available separately for the Cortex XDR per Endpoint or Cortex XDR per Endpoint with XTH data licenses. Prices are dependent on whether XTH data has been purchased.	✓

Retention add-ons

Cortex XDR Prevent

Cortex XDR per Endpoint

Cortex XDR Cloud per Host

Cortex XDR per GB

Additional 31-day hot storage of Case and Issue data

–

✓

per endpoint

✓

per GB

Period-based retention - hot storage

Fully searchable storage for investigation and threat hunting of ingested data, and Case and Issue data.

–

✓

Available separately for the Cortex XDR per Endpoint or Cortex XDR per Endpoint with XTH data licenses. Prices are dependent on whether XTH data has been purchased. Requires purchasing a minimum of 1 month of the additional retention.

✓

Period-based retention - cold storage

Lower cost storage of ingested data for long-term compliance needs with limited search options.

Requires purchasing a minimum of 6 months of the additional retention.

–

✓

Available separately for the Cortex XDR per Endpoint or Cortex XDR per Endpoint with XTH data licenses. Prices are dependent on whether XTH data has been purchased.

✓