Incidents
Indicators
MSSP and Multi-Tenant Environments
Incidents
What is the default retention period for my Cortex XSOAR tenant?
The default retention period for Cortex XSOAR incidents is 180 days (6 months).
When will Palo Alto Networks start enforcing incident retention?
Incident retention enforcement is planned as part of the Cortex XSOAR 8.5 GA release (February 2024).
How is the retention period calculated?
The incident retention period is calculated from the date the incident was created in Cortex XSOAR.
Can I extend the retention period?
You can easily extend the retention period according to your needs by purchasing a retention extension add-on.
Where can I find the tenant’s retention entitlement?
The retention entitlement will be visible on the Cortex XSOAR license page
→ .Indicators
Is there a retention policy for Cortex XSOAR indicators?
Unlike incidents, indicators in Cortex XSOAR will not have a time limit. We limit the number of indicators per tenant as follows:
XSOAR + TIM customers: Up to 100 million indicators
XSOAR customers (no TIM license): Up to 3 million indicators
When will Palo Alto Networks start to enforce indicators retention?
Indicators retention enforcement is planned as part of the GA release of Cortex XSOAR 8.7.
Can the number of indicators on my tenant be expanded?
Customers with no TIM license, can buy a TIM license and have up to 100 million indicators on their tenant. The number of indicators can’t exceed 100 million per tenant.
How will indicators be deleted when the limit has been exceeded?
The indicators will be deleted from older to newer (FIFO). Indicators that are linked to open incidents will not be deleted.
MSSP and Multi-Tenant Environments
How do I assign retention licenses to a new child tenant?
Starting in the February 2024 release, there will be an option to assign retention licenses when creating a new child tenant.
How do I assign retention licenses to an existing child tenant?
Starting in the February 2024 release, users will be able to manage child tenant retention licenses from Cortex Gateway.
When clicking Manage Incident Retention Licenses: