Data retention policy - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-09-17
Category
Administrator Guide
Solution
Cloud
Abstract

Cortex XSOAR retention policy and enforcement

By default, Cortex XSOAR keeps incidents for 180 days (six months). This retention policy is being gradually enforced from February 2024. The retention period is calculated from when the incident was created in Cortex XSOAR. For more information about the retention policy, see Cortex XSOAR 8 Retention Policy FAQs.

Note

For users who migrated from Cortex XSOAR 6 or who purchased Cortex XSOAR 8 before January 2024, incident retention will be under their original license until license renewal.

The retention period can be extended by purchasing retention licenses. Contact customer support to extend your retention licenses.

To view your incident retention period, go to Settings & InfoCortex XSOAR License. The retention period includes any retention add-ons you have purchased. For example, if you have purchased an additional six months of retention, you see 12 Months of incidents retention (6 months default period + 6 months of paid licenses).

Note

Up to 1,000 incidents per tenant can be excluded from the incident retention policy. Retained incidents are not deleted. If you reach 1000 retained incidents, you won't be able to exclude additional incidents from the retention policy, unless you disable incident retention for some or all of your existing retained incidents.

MSSP and multi-tenant

When you create a new child tenant, you can assign purchased retention licenses to the child tenant, from Cortex Gateway. You can also allocate retention licenses to existing child tenants. For more information, see Allocate Incident Retention Licenses.

Indicator retention

Indicators retention enforcement is planned for 2025.

The indicator retention policy is based on the total number of indicators stored.

License

Indicators

XSOAR + TIM

Up to 100 million indicators

XSOAR (No TIM license)

Up to 3 million indicators

If the indicator limit is reached, indicators are deleted from older to newer (first-in-first-out). Indicators that are linked to open incidents are not deleted.