Data Retention Policy - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Cortex XOAR retention policy and enforcement

From February 2024, the incident retention policy has been gradually enforced. The default retention policy for incidents in Cortex XSOAR is 180 days (six months). This time period is calculated from when the incident was originally created in Cortex XSOAR.


Customers who migrated from Cortex XSOAR hosted service or who purchased Cortex XSOAR 8 before January 2024 have incident retention in accordance with their original license until license renewal.

The retention period can be extended by purchasing retention licenses. For more information, contact Customer Support.

To view your time period for incident retention, go to Settings & InfoCortex XSOAR License. This includes any retention add-ons you have purchased. For example, if you have purchased an additional six months of retention, you see: 12 Months of incidents retention (6 months default period + 6 months of paid licenses).


Up to 1,000 incidents per tenant can be excluded from the incident retention policy. Retained incidents are not deleted. If you reach 1,000 retained incidents, you will not be able to exclude additional incidents from the retention policy, unless you disable incident retention for some or all of your existing retained incidents.

MSSP and Multi-Tenant

When you create a new child tenant, you have the option to assign purchased retention licenses to the child tenant, from within the Cortex Gateway. You can also allocate purchased retention licenses to existing child tenants.Allocate Incident Retention Licenses

Indicator Retention

Indicators retention enforcement is planned for 2025.

The indicator retention policy is based on the total number of indicators stored.




Up to 100 million indicators

XSOAR (No TIM license)

Up to 3 million indicators

If the indicator limit is reached, indicators are deleted from older to newer (first-in first-out). Indicators that are linked to open incidents are not deleted.