Cortex XDR provides various license options.
Cortex XDR Prevent license is a comprehensive endpoint protection solution providing multi-layer protection and detection capabilities. Cortex XDR Prevent can effectively block malware, ransomware, behavioral-based and exploit attacks. Additionally, this license includes device control, firewall protection, and disk encryption.
Retention
The Cortex XDR Prevent License provides you with 180 days for your alert and incident data on a minimum of 200 endpoints. To extend your license retention, you can purchase additional retention for your alerts and incident data.
Incident and alert data are retained according to the last Update Date and Creation Date, respectively. Data collected within these dates is kept and displayed for 180 days. To ensure the accuracy of incidents, Cortex XDR provides a grace period of up to 31 days for alerts displayed in the Incidents View, Alerts table, and Casualty View.
License Allocation
Cortex XDR manages and regulates agent licenses according to the available license quota and revocation policy. Each time you install a new Cortex XDR agent on an endpoint, the Cortex XDR agent registers with Cortex XDR to obtain a license. In the case of non-persistent VDI, the Cortex XDR agent registers with Cortex XDR as soon as the user logs in to the endpoint.
Cortex XDR issues licenses until you exhaust the number of license seats available. Cortex XDR also enforces a license cleanup policy to automatically return unused licenses to the pool of available licenses. The time at which a license returns to the license pool depends on the type of endpoint:
Endpoint Type | License Return | Agent Removal from Cortex XDR Console | Agent Removal from Cortex XDR Database |
---|---|---|---|
Standard and Mobile Devices | After 30 days | After 180 days | After 180 days |
(Non-Persistent) VDI and Temporary Sessions | Immediately after log-off for VDI, otherwise after 90 minutes | After 6 hours | After 7 days |
After a license is revoked, if the agent connects to Cortex XDR, reconnection of a specific endpoint will succeed as long as the agent has not been deleted, otherwise, the endpoint is registered as a new endpoint.
If a deleted agent tries to connect to Cortex XDR during the 180 days period, the agent can resume connection and maintain its agent ID. After the 180 days period, the agent ID is deleted alongside all the associated data. In order to reconnect the agent, you must use Cytool to reconnect it or reinstall it on the endpoint, and the agent will be assigned a new ID and a fresh start.
Note
It can take up to an hour for Cortex XDR to display revived endpoints.
License Expiration
Cortex XDR licenses are valid for the period of time associated with the license purchase. After your Cortex XDR license expires, Cortex XDR allows access to your tenant for an additional grace period of 48 hours. After the 48-hour grace period, Cortex XDR disables access to the Cortex XDR app until you renew the license.
For the first 31 days of your expired license, Cortex XDR continues to protect your endpoints and/or network and retains data in the Data Layer according to your data retention policy and licensing. After 31 days, the tenant is decommissioned and agent prevention capabilities cease.
License Monitoring
From the Settings+Cortex XDR License Dialog, you can view the license types and add-ons associated with your Cortex XDR instance. Hover over the information icon to view a list of all available licenses including the start and expiration dates.
To keep you informed of updates made to your license and avoid service disruptions, Cortex XDR displays license notifications when you log in. The notification identifies any changes made to your license and describes any required actions.