Cortex XOAR retention policy and enforcement
From February 2024, the incident retention policy has been gradually enforced. The default retention policy for incidents in Cortex XSOAR is 180 days (six months). This time period is calculated from when the incident was originally created in Cortex XSOAR.
Note
Customers who migrated from Cortex XSOAR hosted service or who purchased Cortex XSOAR 8 before January 2024 have incident retention in accordance with their original license until license renewal.
The retention period can be extended by purchasing retention licenses. For more information, contact Customer Support.
To view your time period for incident retention, go to 12 Months of incidents retention (6 months default period + 6 months of paid licenses).
→ . This includes any retention add-ons you have purchased. For example, if you have purchased an additional six months of retention, you see:Note
Up to 1,000 incidents per tenant can be excluded from the incident retention policy. Retained incidents are not deleted. If you reach 1,000 retained incidents, you will not be able to exclude additional incidents from the retention policy, unless you disable incident retention for some or all of your existing retained incidents.
MSSP and Multi-Tenant
When you create a new child tenant, you have the option to assign purchased retention licenses to the child tenant, from within the Cortex Gateway. You can also allocate purchased retention licenses to existing child tenants.
Indicator Retention
Indicators retention enforcement is planned for 2025.
The indicator retention policy is based on the total number of indicators stored.
License | Indicators |
---|---|
XSOAR + TIM | Up to 100 million indicators |
XSOAR (No TIM license) | Up to 3 million indicators |
If the indicator limit is reached, indicators are deleted from older to newer (first-in first-out). Indicators that are linked to open incidents are not deleted.