Learn more about the default retention periods provided for all Cortex XDR Pro licenses and retention add-ons available.
All of the Cortex XDR Pro licenses provide you with the following default retention periods:
Cortex XDR Pro per Endpoint and Cortex XDR Cloud per Host
31-day Ingested Data
186-day Alert and Incident Data
365-day Forensic Data (requires Forensics add-on)
Cortex XDR Pro per GB
31-day Ingested Data
186-day Alert and Incident Data
Incident and alert data are retained according to the last Update and Creation dates, respectively. Data collected within these dates is kept and displayed for 186 days. To ensure the accuracy of incidents, Cortex XDR provides a grace period of up to 31 days for alerts displayed in the Incidents View, Alerts table, and Casualty View.
For XQL Search capabilities, Cortex XDR enforces retention on all log-type datasets excluding Host Inventory, Vulnerability Assessment, Metrics, and Users.
Depending on your requirements and license add-ons, you can purchase one or more of the following retention add-ons on top of your license to extend your storage. You can view your retention storage duration in the Dataset Management page.
Note
Cortex XDR Cloud per Host offers the same retention add-ons as Cortex XDR Pro per Endpoint.