Retention Policy and Enforcement - FAQs - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR 8 Retention Policy FAQs
Product
Cortex XSOAR
Version
8
Creation date
2023-11-08
Last date published
2024-03-25
Category
FAQs
Solution
Cloud

  • Incidents

  • Indicators

  • MSSP and Multi-Tenant Environments

Incidents

What is the default retention period for my Cortex XSOAR tenant?

The default retention period for Cortex XSOAR incidents is 180 days (6 months).

When will Palo Alto Networks start enforcing incident retention?

Incident retention enforcement is planned as part of the Cortex XSOAR 8.5 GA release (February 2024).

How is the retention period calculated?

The incident retention period is calculated from the date the incident was created in Cortex XSOAR.

Can I extend the retention period?

You can easily extend the retention period according to your needs by purchasing a retention extension add-on.

Where can I find the tenant’s retention entitlement?

The retention entitlement will be visible on the Cortex XSOAR license page Settings & InfoCortex XSOAR License.

xsoar-license.png

Indicators

Is there a retention policy for Cortex XSOAR indicators?

Unlike incidents, indicators in Cortex XSOAR will not have a time limit. We limit the number of indicators per tenant as follows:

  • XSOAR + TIM customers: Up to 100 million indicators

  • XSOAR customers (no TIM license): Up to 3 million indicators

When will Palo Alto Networks start to enforce indicators retention?

Indicators retention enforcement is planned as part of the GA release of Cortex XSOAR 8.7.

Can the number of indicators on my tenant be expanded?

Customers with no TIM license, can buy a TIM license and have up to 100 million indicators on their tenant. The number of indicators can’t exceed 100 million per tenant.

How will indicators be deleted when the limit has been exceeded?

The indicators will be deleted from older to newer (FIFO). Indicators that are linked to open incidents will not be deleted.

MSSP and Multi-Tenant Environments

How do I assign retention licenses to a new child tenant?

Starting in the February 2024 release, there will be an option to assign retention licenses when creating a new child tenant.

child-retention.png

How do I assign retention licenses to an existing child tenant?

Starting in the February 2024 release, users will be able to manage child tenant retention licenses from Cortex Gateway.

license-activation-mt.png

When clicking Manage Incident Retention Licenses:

manage-retention.png