Export - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Select the export option to export data collection for long-term retention or offline analysis.

You can export the data collection for long-term retention or offline analysis.

From the collections page, choose a search item from a hunt collection or the endpoint from a triage collection and click the export icon (forensics_export_icon.png). For export of all items, select the Export All option from the Exports button at the top of the Collections page.


You can export a collection more than once.

To view the status of the export, click the Exports button.

The Investigation Exports table shows the status of the requested exports for the selected collection. The compressed export data expires from the bucket after 30 days.



Collection name

Shows the name of the triage or hunt. For triage, the endpoint name of the triaged host is displayed.


Shows the time when the exported package was created (compressed).

Exported by

Shows the name of the user who requested the export.

Export expiration

Shows the timestamp of when the bucket data (compressed data) will be deleted.

The timestamp changes to red after the timestamp and the last column shows Expired.


The progress indicates how many tables from the collections have been successfully exported to a bucket.

Download button

Enables you to download the the compressed (zip) export of the collection.

Bin icon

Enables you to delete the compressed export file.