License allocation - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn more about how Cortex XSIAM regulates agent licenses.

Enforcement of licenses

Each Cortex XSIAM license provides three Cortex XDR Pro per Endpoint agents and an additional two Cortex XDR Cloud agents for the Enterprise Plus. You can add additional agents to supplement the ones they get as part of the Cortex XSIAM base bundle. As the Cortex XSIAM-based bundle comes with integrated Host Insights and Extended Threat Hunting Data (XTH) capabilities, any additional Cortex XDR Pro per Endpoint or XDR Cloud agents must also include the Host Insights and XTH add-on.

If an endpoint requires a Pro per Endpoint license, and you’ve exceeded the number of available Pro per Endpoint licenses, one of your surplus Cloud per Host licenses is automatically consumed as a Pro per Endpoint license for the endpoint.

Pro per Endpoint licenses can be allocated for Cloud virtual machines up to Pro per Endpoint license capacity. Cortex XSIAM auto-identifies if a host is running a container orchestrator and assigns the Cloud per Host license accordingly. To protect a Kubernetes or similar container orchestrator endpoint, Cortex XSIAM requires a Cortex Cloud per Host license.

After utilizing all available Pro per Endpoint and Cloud per Host licenses, Cortex XDR falls back to a Cortex XDR Prevent policy that protects the endpoint but does not include Pro-specific capabilities. When you exceed the permitted number of Pro and Cloud agents, Cortex XSIAM displays a notification in the notification area. Cortex XSIAM permits a small grace over the permitted number but begins enforcing the number of agents after 14 days. If additional Pro agents are required, increase your Cortex XDR Pro per Endpoint license capacity.

License Revocation