Learn more about how Cortex XSIAM regulates agent licenses.
Cortex XSIAM regulates agent licenses according to the available license quota and revocation policy.
Enforcement of Licenses
Each Cortex XSIAM license provides one Cortex XDR Pro per Endpoint agent and an additional Cortex XDR Cloud agent for Enterprise Plus. You can add additional agents to supplement the ones they get as part of the Cortex XSIAM base bundle. As the Cortex XSIAM-based bundle comes with integrated Host Insights and Extended Threat Hunting Data (XTH) capabilities, any additional Cortex XDR Pro per Endpoint or XDR Cloud agents must also include the Host Insights and XTH add-on.
If an endpoint requires a Pro per Endpoint license, and you’ve exceeded the number of available Pro per Endpoint licenses, one of your surplus Cloud per Host licenses is automatically consumed as a Pro per Endpoint license for the endpoint.
Pro per Endpoint licenses can be allocated for Cloud virtual machines up to Pro per Endpoint license capacity. Cortex XSIAM auto-identifies if a host is running a container orchestrator and assigns the Cloud per Host license accordingly. To protect a Kubernetes or similar container orchestrator endpoint, Cortex XSIAM requires a Cortex Cloud per Host license.
After utilizing all available Pro per Endpoint and Cloud per Host licenses, Cortex XDR falls back to a Cortex XDR Prevent policy that protects the endpoint but does not include Pro-specific capabilities. When you exceed the permitted number of Pro and Cloud agents, Cortex XSIAM displays a notification in the notification area. Cortex XSIAM permits a small grace over the permitted number but begins enforcing the number of agents after 14 days. If additional Pro agents are required, increase your Cortex XDR Pro per Endpoint license capacity.
Endpoint License Revocation
Cortex XSIAM manages licensing for all endpoints in your organization. Each time you install a new Cortex XDR agent on an endpoint, the Cortex XDR agent registers with Cortex XSIAM to obtain a license. In the case of non-persistent VDI, the Cortex XDR agent registers with Cortex XSIAM as soon as the user logs in to the endpoint.
Cortex XSIAM issues licenses until you exhaust the number of license seats available. Cortex XSIAM also enforces a license cleanup policy to automatically return unused licenses to the pool of available licenses. The time at which a license returns to the license pool depends on the type of endpoint:
Endpoint Type | License Return | Agent Removal from Cortex XSIAM Console | Agent Removal from Cortex XSIAM Database |
---|---|---|---|
Standard and mobile devices | After 30 days | After 180 days | After 180 days |
(Non-Persistent) VDI and Temporary Session | Immediately after log-off for VDI, otherwise after 90 minutes | After 6 hours | After 7 days |
After a license is revoked, if the agent connects to Cortex XSIAM, reconnection of a specific endpoint will succeed as long as the agent has not been deleted, otherwise, the endpoint is registered as a new endpoint.
If a deleted agent tries to connect to Cortex XSIAM during the 180 days period, the agent can resume connection and maintain its agent ID. After the 180 days period, the agent ID is deleted alongside all the associated data. In order to reconnect the agent, you must use Cytool to reconnect it or reinstall it on the endpoint, and the agent will be assigned a new ID and a fresh start.
Note
It can take up to an hour for Cortex XSIAM to display revived endpoints.