topic Re: Cortex XDR Dataset - Total Days Stored in Cortex XDR Discussions

Cortex XDR Dataset - Total Days Stored

nohash4u — Tue, 15 Jul 2025 14:45:11 GMT

Hello All,

Can anyone explain as to why a dataset that is a subset of the xdr_data dataset may have a total days stored value less than the xdr_data dataset?

In my case the total days stored of the login_logs dataset is less than that of the parent dataset xdr_data:

This is not a new configuration, so I am curious as to why there is a difference between the two.

The hot storage license for the tenant is:

Cheers

Re: Cortex XDR Dataset - Total Days Stored

eluis — Thu, 17 Jul 2025 13:28:01 GMT

Hi Nohash4u,

The logins_log dataset incorporates login logs from xdr agent and other login logs from other products (Global Protect VPN, Firewall....),

XDR_dataset has much more types of different events.

According with what I see in the pic you sent, I see that login_logs dataset has data from 22nd Jun to 12th Jul which means that there was no login events captured before and after those dates respectively

Same explanation from xdr_dataset, which contains much more types of events so different types of events than logins were captured before and after the login events in the previous dataset.

If you believe that some login logs might have been missed or lost, please feel free to open a TAC support case to investigate it further.

Does it make sense ?

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

KR,

Luis

Re: Cortex XDR Dataset - Total Days Stored

nohash4u — Mon, 21 Jul 2025 14:20:22 GMT

Thanks @eluis for clarifying! The login_logs dataset continues to increase to the hot retention period of 31 total days stored. I am unsure if there was a problem with the capturing of such login events, or if the other possibility of no one logging in for a period of time occurred. I will post back here with any new findings.

Cheers!