License retention in Cortex XDR - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn more about the default retention periods for all Cortex XDR licenses, and the available retention add-ons.

After purchasing your license retention add-ons, you can view details about your Cortex XDR licenses and retention add-ons by selecting SettingsCortex XDR License. For more information on your storage license details, see Dataset Management.

Default retention periods

The following table summarizes the default retention periods:

Data type

Cortex XDR Prevent

Cortex XDR Pro per Endpoint

Cortex XDR Cloud per Host

Cortex XDR Pro per GB

Notes

Ingested data

N/A

31 days

31 days

Alert and incident data

186 days (min 200 endpoints)

Option to purchase additional retention

186 days

186 days

Incident and alert data are retained according to the last Update and Creation dates, respectively. Data collected within these dates is kept and displayed for 186 days. To ensure the accuracy of incidents, Cortex XDR provides a grace period of up to 31 days for alerts displayed in the Incidents View, Alerts table, and Casualty View.

Forensic data

N/A

365 days

–­

Requires Forensics add-on

Retention add-ons

To extend your storage, you can purchase one or more of the following retention add-ons:

Retention add-ons

Cortex XDR Prevent

Cortex XDR Pro per Endpoint

Cortex XDR Cloud per Host

Cortex XDR Pro per GB

Additional 31-day hot storage of alert and incident data

–­

per endpoint

per GB

Period-based retention - hot storage

Fully searchable storage for investigation and threat hunting of ingested data, and alert and incident data.

–­

Available separately for the Pro per Endpoint or Pro per Endpoint with XTH data licenses. Prices are dependent on whether XTH data has been purchased. Requires purchasing a minimum of 1 month of the additional retention.

Period-based retention - cold storage

Lower cost storage of ingested data for long-term compliance needs with limited search options.

Requires purchasing a minimum of 6 months of the additional retention.

–­

Available separately for the Pro per Endpoint or Pro per Endpoint with XTH data licenses. Prices are dependent on whether XTH data has been purchased.