License retention in Cortex XSIAM - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-22
Category
Administrator Guide
Abstract

Learn more about the default retention periods for all Cortex XSIAM licenses, and the available retention add-ons.

After purchasing your license retention add-ons, you can view details about your Cortex XSIAM licenses and retention add-ons by selecting SettingsCortex XSIAM License. For more information on your storage license details, see Dataset Management.

Default retention periods

The following table summarizes the default retention periods for Cortex XSIAM Enterprise and Cortex XSIAM Enterprise Plus:

Data Type

Default Retention Period

Notes

Ingested data

31 days

Alert and incident data

180 days

Incident and alert data are retained according to the last Update Date and Creation Date, respectively. Data collected within these dates is kept and displayed for 180 days. To ensure the accuracy of incidents, Cortex XSIAM provides a grace period of up to 31 days for alerts displayed in the Incidents View, Alerts table, and Casualty View.

Forensic data

365 days

Requires Forensics add-on

Retention add-ons

Retention add-ons are provided for ingested data, and alert and incident data. Minimum requirements are dependent on the license type. You can purchase one or more of the following add-ons:

Feature

Description

Additional Alert and Incident Retention

Additional 31-day hot storage of alert and incident data apart from the default 180 days.

Available for purchase per month for each endpoint.

Period-Based Retention - Hot Storage

Fully searchable storage for investigation and threat hunting of ingested data, and alert and incident data.

Requires purchasing a minimum of one month of the additional retention.

Additional Hot Storage

Flexible hot storage-based retention to help accommodate varying storage requirements for different retention periods and datasets. Fully searchable storage for investigation and threat hunting of ingested data.

Available for purchase by storage for a minimum of 1,000 GB.

Period-Based Retention - Cold Storage

Lower cost storage of ingested data for long-term compliance needs with limited search options.

Requires purchasing a minimum of six months of additional retention.