When you identify a threat, you can define specific rules for which you want Cortex XDR/Cortex XSIAM to raise alerts. Non-informational alerts are consolidated from your detection sources to enable you to efficiently and effectively triage the events you see each day on the Alerts page. By analyzing the alert, you can better understand the cause of what happened and the full story with context to validate whether an alert requires additional action. Cortex XDR/Cortex XSIAM supports saving 2M alerts per 4000 agents or 20 terabytes, half of the alerts are allocated for informational alerts and half for severity alerts.