Export Cortex XSOAR incidents to cloud storage - Export incidents from Cortex XSOAR to cloud storage. - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation
Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2025-06-10
Category
Administrator Guide
Solution
Cloud
Abstract

Export incidents from Cortex XSOAR to cloud storage.

You can export incidents from Cortex XSOAR.

Incidents are exported as JSON files that contain the following:

  • Incident data, including all incident fields

  • Context data

  • Investigation data

  • War Room entries

In addition, you can choose to export incident attachments.

Exported incidents are sent to Amazon S3 or an S3-compatible storage solution. You can schedule incident exports or export incidents on demand. To enable incident export, you must configure egress to your storage solution in the Cortex Gateway and configure your External Storage settings in Cortex XSOAR

Note

  • The first time incidents are exported, the process may take multiple days or weeks, depending on the number of incidents and the amount of data. The previous export must be completed before the system begins another export.

  • Once an incident has been exported, it is not exported again, even if it remains in the system and is modified after the export.

  • Exported incidents cannot be imported back into Cortex XSOAR.

  • Retained incidents are not exported.

  • To stop an existing export process, you must make a POST request to the API endpoint: /xsoar/exdelete-incidents/job/abort.