Data retention in Cortex XSIAM - Learn more about the default retention periods for all Cortex XSIAM licenses, and the available retention add-ons. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Ingested data

31 days

Case and Issue data

186 days

Case and Issue data are retained according to the last Update and Creation dates, respectively. Data collected within these dates is kept and displayed for 186 days. To ensure the accuracy of incidents, Cortex XSIAM provides a grace period of up to 31 days for Issues displayed in the Cases View, Issues table, and Casualty View..

Forensic data

365 days

Requires Forensics add-on

Audit logs

365 days

Query data

186 days

Additional Case and Issue Retention

Additional 31-day hot storage of Case and Issue data apart from the default 186 days.

Available for purchase per month for each endpoint.

Period-Based Retention - Hot Storage

Fully searchable storage for investigation and threat hunting of ingested data, and Case and Issue data.

Requires purchasing a minimum of one month of the additional retention.

Additional Hot Storage

Flexible hot storage-based retention to help accommodate varying storage requirements for different retention periods and datasets. Fully searchable storage for investigation and threat hunting of ingested data.

Available for purchase by storage for a minimum of 1,000 GB.

Period-Based Retention - Cold Storage

Lower cost storage of ingested data for long-term compliance needs with limited search options.

Requires purchasing a minimum of six months of additional retention.