Cortex XSOAR retention policy and enforcement
By default, Cortex XSOAR keeps incidents for 180 days (six months). This retention policy is being gradually enforced from February 2024. The retention period is calculated from when the incident was created in Cortex XSOAR. For more information about the retention policy, see Cortex XSOAR 8 Retention Policy FAQs.
Note
For users who migrated from Cortex XSOAR 6 or who purchased Cortex XSOAR 8 before January 2024, incident retention will be under their original license until license renewal.
The retention period can be extended by purchasing retention licenses. Contact customer support to extend your retention licenses.
To view your incident retention period, go to 12 Months of incidents retention (6 months default period + 6 months of paid licenses).
→ . The retention period includes any retention add-ons you have purchased. For example, if you have purchased an additional six months of retention, you seeNote
Up to 1,000 incidents per tenant can be excluded from the incident retention policy. Retained incidents are not deleted. If you reach 1000 retained incidents, you won't be able to exclude additional incidents from the retention policy, unless you disable incident retention for some or all of your existing retained incidents.
MSSP and multi-tenant
When you create a new child tenant, you can assign purchased retention licenses to the child tenant, from Cortex Gateway. You can also allocate retention licenses to existing child tenants. For more information, see Allocate Incident Retention Licenses.
Indicator retention
Indicators retention enforcement is planned for 2025.
The indicator retention policy is based on the total number of indicators stored.
License | Indicators |
---|---|
XSOAR + TIM | Up to 100 million indicators |
XSOAR (No TIM license) | Up to 3 million indicators |
If the indicator limit is reached, indicators are deleted from older to newer (first-in-first-out). Indicators that are linked to open incidents are not deleted.