Retain incidents - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-10-14
Category
Administrator Guide
Solution
Cloud
Abstract

Retain an incident according to the Retention Policy.

By default, Cortex XSOAR keeps incidents for 180 days (six months). The retention period is calculated from when the incident was created in Cortex XSOAR. For more information about the retention policy and how to extend retention, see Cortex XSOAR 8 Retention Policy FAQs.

You can mark up to 1000 incidents for permanent retention, including incidents that have been deleted manually, by API call, and deleted per the Retention Policy of 180 days (six months) plus any additional incident retention licenses assigned to the tenant.

Note

Up to 1,000 incidents per tenant can be excluded from the incident retention policy. Retained incidents are not deleted. If you reach 1000 retained incidents, you won't be able to exclude additional incidents from the retention policy, unless you disable incident retention for some or all of your existing retained incidents.

Only user roles that have retain incident permissions, can retain or undo incident retention. For more information, see The Components tab.

How to retain an incident
  1. On the Incidents page, select the incident you want to retain.

  2. From the Actions dropdown button, select Retain Incident.

    The lock icon appears when the incident has been marked for retention.

To disable retention for an incident, select Undo Retain Incident from the Actions menu.

To search for retained incidents in the Incidents search bar, use the retained field, with T (True) or F (False). You can also add the Retain Incident field to the Incidents table to easily view which incidents are retained.