Data retention policy - Cortex XSOAR retention policy and enforcement - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

By default, Cortex XSOAR keeps incidents for six months. This retention policy is being gradually enforced from February 2024. The retention period is calculated from when the incident was created in Cortex XSOAR. For more information about the retention policy, see Cortex XSOAR 8 Retention Policy FAQs.

If you need to store incidents for longer than six months to meet regulatory requirements, there are three options:

To view your incident retention period, go to Settings & Info → Cortex XSOAR License. The retention period includes any retention add-ons you have purchased. For example, if you have purchased an additional six months of retention, you see 12 Months of incidents retention (6 months default period + 6 months of paid licenses).

MSSP and multi-tenant

When you create a new child tenant, you can assign purchased retention licenses to the child tenant, from Cortex Gateway. You can also allocate retention licenses to existing child tenants. For more information, see Allocate Incident Retention Licenses.

Indicator retention

Indicators retention enforcement is planned for 2025.

The indicator retention policy is based on the total number of indicators stored.

If the indicator limit is reached, indicators are deleted from older to newer (first-in-first-out). Indicators that are linked to open incidents are not deleted.