Dataset Management - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn more about managing your datasets and understanding your overall data storage, period based retention.

The Dataset Management page enables you to manage your datasets and understand your overall data storage duration for different retention periods and datasets based on your hot and cold storage licenses, and retention add-ons that extend your storage. You can view details about your Cortex XSIAM licenses and retention add-ons by selecting SettingsCortex XSIAM License. For more information on license retention and the defaults provided per license, see License Retention.


Cortex XSIAM enforces retention on all log-type datasets excluding Host Inventory, Vulnerability Assessment, Metrics, and Users.

Your current hot and cold storage licenses, including the default license retention and any additonal retention add-ons to extend storage, are listed within the Hot Storage License and Cold Storage License sections of the Dataset Management page. Whenever you extend your license retention, depending on your requirements and license add-ons for both hot storage and cold storage, the add-ons are listed.

You can expand your license retention to include flexible Hot Storage based retention to help accommodate varying storage requirements for different retention periods and datasets. This add-on license is available to purchase based on your storage requirements for a minimum of 1,000 GB. If this license is purchased, an Additional Storage subheading in the Hot Storage License section is displayed on the Dataset Management page with a bar indicating how much of the storage is used.


Only datasets that are already handled as part of the GB license are supported for this license. In addition, the retention configuration is only available in Cortex XSIAM, as opposed to the public APIs or configuration from the parent MSSP tenant.

On any dataset configured to use Additional Hot Storage, you can edit the retention period. This enables you to view the current retention details for hot and cold storage and configure the retention. This includes setting the amount of flexible hot storage-based retention designated for a dataset and the priority for the dataset's hot storage. This is used when the storage limit is exceeded to know the data most critical to preserve.

For each dataset listed in the table, the following information is available: