Retain an incident according to the Retention Policy.
By default, Cortex XSOAR keeps incidents for 180 days (six months). The retention period is calculated from when the incident was created in Cortex XSOAR. For more information about the retention policy and how to extend retention, see Cortex XSOAR 8 Retention Policy FAQs.
Note
Up to 1,000 incidents per tenant can be excluded from the incident retention policy. Retained incidents are not deleted. If you reach 1000 retained incidents, you won't be able to exclude additional incidents from the retention policy, unless you disable incident retention for some or all of your existing retained incidents.
Only user roles that have retain incident permissions, can retain or undo incident retention. For more information, see The Components tab.
On the Incidents page, select the incident you want to retain.
From the Actions dropdown button, select Retain Incident.
The lock icon appears when the incident has been marked for retention.