Configure incident export and delete - Export incidents from Cortex XSOAR to cloud or local storage. Delete incidents after export or delete without exporting. - Administrator Guide - 8.13 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation
Product
Cortex XSOAR
Version
8.13
Creation date
2026-02-12
Last date published
2026-05-27
Category
Administrator Guide
Solution
On-prem
Abstract

Export incidents from Cortex XSOAR to cloud or local storage. Delete incidents after export or delete without exporting.

The incident export and delete feature enables you to limit storage usage while meeting regulatory requirements for extended data retention. You can perform the following actions:

  • Export incidents on demand

  • Schedule automated incident export, automated incident deletion, or automated incident export and deletion

Incidents are exported as JSON files that contain the following:

  • Incident data, including all incident fields

  • Context data

  • Investigation data

  • War Room entries

In addition, you can choose to export incident attachments.

Exported incidents are sent to Amazon S3, an S3-compatible bucket, or to local NFS (Network File System) storage.

Warning

  • Deletion is permanent and deleted incidents cannot be retrieved.

  • Exported incidents cannot be imported back into Cortex XSOAR.

Note

  • The first time incidents are exported, the export may take multiple days or weeks to complete, depending on the number of incidents and the amount of data. The previous export must complete before the system begins another export.

  • To stop an existing export process, click the Abort button. The Abort button only appears when an export is in process.

  • Once an incident has been exported, even if the incident is not deleted and remains in the system, it is not exported again. Note that this also applies to incidents that are modified after export.

  • Retained incidents are not exported or deleted. For more information, see Retain incidents.