License Retention - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Learn more about the default retention periods provided for all Cortex XDR Pro licenses and retention add-ons available.

All of the Cortex XDR Pro licenses provide you with the following default retention periods:

Cortex XDR Pro per Endpoint and Cortex XDR Cloud per Host

  • 31-day Ingested Data

  • 180-day Alert and Incident Data

  • 365-day Forensic Data (requires Forensics add-on)

Cortex XDR Pro per GB

  • 31-day Ingested Data

  • 180-day Alert and Incident Data

Incident and alert data are retained according to the last Update and Creation dates, respectively. Data collected within these dates is kept and displayed for 180 days. To ensure the accuracy of incidents, Cortex XDR provides a grace period of up to 31 days for alerts displayed in the Incidents View, Alerts table, and Casualty View.

For XQL Search capabilities, Cortex XDR enforces retention on all log-type datasets excluding Host Inventory, Vulnerability Assessment, Metrics, and Users.

Depending on your requirements and license add-ons, you can purchase one or more of the following retention add-ons on top of your license to extend your storage. You can view your retention storage duration in the Dataset Management page.


Cortex XDR Cloud per Host offers the same retention add-ons as Cortex XDR Pro per Endpoint.

Data Storage Lifecycle