Retain Incidents - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Retain an incident according to the Retention Policy.

You can mark up to 1,000 incidents for permanent retention. Incidents that are marked for retention cannot be deleted. This includes manual deletion, deletion by API call, and deletion per the incident retention policy of 180 days (six months) plus any additional incident retention licenses assigned to the tenant.

Only users with the DATA Retain Incidents permissions can enable or disable retention for an incident.Role-based Permission Levels

To mark an incident for retention, select Retain Incident from the Actions menu. When an incident has been marked for retention, the lock icon appears. To disable retention for an incident, select Undo Retain Incident from the Actions menu. Once you have marked 1,000 incidents for retention, no additional incidents can be retained unless you disable incident retention for existing retained incidents.

To search for retained incidents in the Incidents search bar, use the retained field, with T (True) or F (False).