Retain incidents - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-10-31
Category
Administrator Guide
Solution
On-prem
Abstract

Retain up to 1000 incidents.

You can mark up to 1000 incidents for permanent retention so that any important incidents can't be inadvertently deleted manually, or by an API call.

Note

Up to 1,000 incidents per tenant can be selected. Retained incidents are not deleted. If you reach 1000 retained incidents, you won't be able to add additional incidents, unless you disable incident retention for some or all of your existing retained incidents.

Only user roles that have the Retain incident permissions, can retain or undo incident retention. For more information, see Role-based permissions.

How to retain an incident
  1. On the Incidents page, select the incident you want to retain.

  2. From the Actions dropdown button, select Retain Incident.

    The lock icon appears when the incident has been marked for retention.

To disable retention for an incident, select Undo Retain Incident from the Actions menu.

To search for retained incidents in the Incidents search bar, use the retained field, with T (True) or F (False). You can also add the Retain Incident field to the Incidents table to easily view which incidents are retained.