License Allocation - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn more about how Cortex XSIAM regulates agent licenses.

Cortex XSIAM regulates agent licenses according to the available license quota and revocation policy.

Enforcement of Licenses

Each Cortex XSIAM license provides 3 Cortex XDR Pro per Endpoint agents and an additional 2 Cortex XDR Cloud agents for the Enterprise Plus. You can add additional agents to supplement the ones they get as part of the Cortex XSIAM base bundle. As the Cortex XSIAM-based bundle comes with integrated Host Insights and Extended Threat Hunting Data (XTH) capabilities, any additional Cortex XDR Pro per Endpoint or XDR Cloud agents must also include the Host Insights and XTH add-on.

If an endpoint requires a Pro per Endpoint license, and you’ve exceeded the number of available Pro per Endpoint licenses, one of your surplus Cloud per Host licenses is automatically consumed as a Pro per Endpoint license for the endpoint.

Pro per Endpoint licenses can be allocated for Cloud virtual machines up to Pro per Endpoint license capacity. Cortex XSIAM auto-identifies if a host is running a container orchestrator and assigns the Cloud per Host license accordingly. To protect a Kubernetes or similar container orchestrator endpoint, Cortex XSIAM requires a Cortex Cloud per Host license.

After utilizing all available Pro per Endpoint and Cloud per Host licenses, Cortex XDR falls back to a Cortex XDR Prevent policy that protects the endpoint but does not include Pro-specific capabilities. When you exceed the permitted number of Pro and Cloud agents, Cortex XSIAM displays a notification in the notification area. Cortex XSIAM permits a small grace over the permitted number but begins enforcing the number of agents after 14 days. If additional Pro agents are required, increase your Cortex XDR Pro per Endpoint license capacity.

Endpoint License Revocation

Cortex XSIAM manages licensing for all endpoints in your organization. Each time you install a new Cortex XDR agent on an endpoint, the Cortex XDR agent registers with Cortex XSIAM to obtain a license. In the case of non-persistent VDI, the Cortex XDR agent registers with Cortex XSIAM as soon as the user logs in to the endpoint.

Cortex XSIAM issues licenses until you exhaust the number of license seats available. Cortex XSIAM also enforces a license cleanup policy to automatically return unused licenses to the pool of available licenses. The time at which a license returns to the license pool depends on the type of endpoint:

Endpoint Type

License Return

Agent Removal from Cortex XSIAM Console

Agent Removal from Cortex XSIAM Database

Standard and mobile devices

After 30 days

After 180 days

After 180 days

(Non-Persistent) VDI and Temporary Session

Immediately after log-off for VDI, otherwise after 90 minutes

After 6 hours

After 7 days

After a license is revoked, if the agent connects to Cortex XSIAM, reconnection of a specific endpoint will succeed as long as the agent has not been deleted, otherwise, the endpoint is registered as a new endpoint.

If a deleted agent tries to connect to Cortex XSIAM during the 180 days period, the agent can resume connection and maintain its agent ID. After the 180 days period, the agent ID is deleted alongside all the associated data. In order to reconnect the agent, you must use Cytool to reconnect it or reinstall it on the endpoint, and the agent will be assigned a new ID and a fresh start.


It can take up to an hour for Cortex XSIAM to display revived endpoints.