Cortex XDR Prevent License - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Cortex XDR provides various license options.

Cortex XDR Prevent license is a comprehensive endpoint protection solution providing multi-layer protection and detection capabilities. Cortex XDR Prevent can effectively block malware, ransomware, behavioral-based and exploit attacks. Additionally, this license includes device control, firewall protection, and disk encryption.


The Cortex XDR Prevent License provides you with a default retention period of 30 days for your integrated data and 180 days for your alert and incident data on a minimum of 200 endpoints. To extend your license retention, you can purchase additional retention for your alerts and incident data.

Incident and alert data are retained according to the last Update Date and Creation Date, respectively. Data collected within these dates is kept and displayed for 180 days. To ensure the accuracy of incidents, Cortex XDR provides a grace period of up to 30 days for alerts displayed in the Incidents View, Alerts table, and Casualty View.

License Allocation

Cortex XDR manages and regulates agent licenses according to the available license quota and revocation policy. Each time you install a new Cortex XDR agent on an endpoint, the Cortex XDR agent registers with Cortex XDR to obtain a license. In the case of non-persistent VDI, the Cortex XDR agent registers with Cortex XDR as soon as the user logs in to the endpoint.

Cortex XDR issues licenses until you exhaust the number of license seats available. Cortex XDR also enforces a license cleanup policy to automatically return unused licenses to the pool of available licenses. The time at which a license returns to the license pool depends on the type of endpoint:

Endpoint Type

License Return

Agent Removal from Cortex XDR Console

Agent Removal from Cortex XDR Database

Standard and Mobile Devices

After 30 days

After 180 days

After 180 days

(Non-Persistent) VDI and Temporary Sessions

Immediately after log-off for VDI, otherwise after 90 minutes

After 6 hours

After 7 days

After a license is revoked, if the agent connects to Cortex XDR, reconnection of a specific endpoint will succeed as long as the agent has not been deleted, otherwise, the endpoint is registered as a new endpoint.

If a deleted agent tries to connect to Cortex XDR during the 180 days period, the agent can resume connection and maintain its agent ID. After the 180 days period, the agent ID is deleted alongside all the associated data. In order to reconnect the agent, you must use Cytool to reconnect it or reinstall it on the endpoint, and the agent will be assigned a new ID and a fresh start.


It can take up to an hour for Cortex XDR to display revived endpoints.

License Expiration

Cortex XDR licenses are valid for the period of time associated with the license purchase. After your Cortex XDR license expires, Cortex XDR allows access to your tenant for an additional grace period of 48 hours. After the 48-hour grace period, Cortex XDR disables access to the Cortex XDR app until you renew the license.

For the first 30 days of your expired license, Cortex XDR continues to protect your endpoints and/or network and retains data in the Data Layer according to your data retention policy and licensing. After 30 days, the tenant is decommissioned and agent prevention capabilities cease.

License Monitoring

From the Settings+Cortex XDR License Dialog, you can view the license types and add-ons associated with your Cortex XDR instance. Hover over the information icon to view a list of all available licenses including the start and expiration dates.

To keep you informed of updates made to your license and avoid service disruptions, Cortex XDR displays license notifications when you log in. The notification identifies any changes made to your license and describes any required actions.