License Retention - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide
Product
Cortex XDR
License
Pro
Creation date
2023-03-22
Last date published
2023-09-21
Category
Administrator Guide

All of the Cortex XDR Pro licenses provide you with the following default retention periods:

Cortex XDR Pro per Endpoint and Cortex XDR Cloud per Host

  • 30-day Ingested Data

  • 180-day Alert and Incident Data

  • 365-day Forensic Data

Cortex XDR Pro per GB

  • 30-day Ingested Data

  • 180-day Alert and Incident Data

Incident and alert data are retained according to the last Update and Creation dates, respectively. Data collected within these dates is kept and displayed for 180 days. To ensure the accuracy of incidents, Cortex XDR provides a grace period of up to 30 days for alerts displayed in the Incidents View, Alerts table, and Casualty View.

For XQL Search capabilities, Cortex XDR enforces retention on all log-type datasets excluding Host Inventory, Vulnerability Assessment, Metrics, and Users.

Depending on your requirements and license add-ons, you can purchase one or more of the following retention add-ons on top of your license to extend your storage. You can view your retention storage duration in the Dataset Management page.

Note

Cortex XDR Cloud per Host offers the same retention add-ons as Cortex XDR Pro per Endpoint.

Feature

Description

Additional Alert and Incident Retention

Additional 30-day Hot storage of alert and incident data apart from the default 180 days.

Available for purchase per month for each endpoint (Cortex XDR Pro Per Endpoint) or GB (Cortex XDR Pro per GB).

Period-Based Retention - Hot Storage

Fully searchable storage for investigation and threat hunting of ingested data, and alert and incident data.

Note

Available separately for the Pro per Endpoint or Pro per Endpoint with XTH data licenses. Prices are dependent on whether XTH data has been purchased.

Requires purchasing a minimum of 1 month of the additional retention.

Period-Based Retention - Cold Storage

Lower cost storage of ingested data for long-term compliance needs with limited search options.

Note

Available separately for the Pro per Endpoint or Pro per Endpoint with XTH data licenses. Prices are dependent on whether XTH data has been purchased.

Requires purchasing a minimum of 6 months of the additional retention.