License retention in Cortex XSIAM - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Ingested data

31 days

Alert and incident data

180 days

Incident and alert data are retained according to the last Update Date and Creation Date, respectively. Data collected within these dates is kept and displayed for 180 days. To ensure the accuracy of incidents, Cortex XSIAM provides a grace period of up to 31 days for alerts displayed in the Incidents View, Alerts table, and Casualty View.

Forensic data

365 days

Requires Forensics add-on

Additional Alert and Incident Retention

Additional 31-day hot storage of alert and incident data apart from the default 180 days.

Available for purchase per month for each endpoint.

Period-Based Retention - Hot Storage

Fully searchable storage for investigation and threat hunting of ingested data, and alert and incident data.

Requires purchasing a minimum of one month of the additional retention.

Additional Hot Storage

Flexible hot storage-based retention to help accommodate varying storage requirements for different retention periods and datasets. Fully searchable storage for investigation and threat hunting of ingested data.

Available for purchase by storage for a minimum of 1,000 GB.

Period-Based Retention - Cold Storage

Lower cost storage of ingested data for long-term compliance needs with limited search options.

Requires purchasing a minimum of six months of additional retention.