- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
There are many benefits to being a hosted XSOAR customer, such as offloading the care and feeding of the XSOAR environment. That being the case, it does require a different process when the time comes to archive the data to prevent slow performance or running out of storage. Let's review how to archive and retrieve your data, including best practices, recommendations and FAQs for archiving.
NOTE: This blog applies only to XSOAR 6 >. The XSOAR 8 process will be published at a later time.
Hosted customers will be notified when they have reached 80% of their storage capacity. It is recommended that a plan be developed to export the data at this time. Another notification will be sent when you have reached 90% of your storage capacity, and action should be taken immediately.
There are multiple ways you can store your incident data:
Export via API
Export via the UI
Export via SplunkHEC or other SIEM
Load exported data into a temporary On-Premises environment
Once you have determined how you are going to store and view your archive data, you need to submit a request to support by doing the following:
Open a support case: https://support.paloaltonetworks.com
Title the case ‘Archive [Environment Name] Data’
Note the following In the body of the case:
What to Archive
Request the specific monthly range you want to archive. Example: Please archive data from January 2022 - December 2022.
When do you want it to happen
Let support know If you require a specific archive window. Unless requested, the archive process will take place during the standard maintenance period, Sunday, 10AM IDT/UTC +2. The expected downtime is ~1 hour.
Request the backup Data
If you want an on-prem reader solution, specify that you would like to receive a back-up of archived data. A download link will be provided to you after the archive process is complete.
Archiving your hosted data is a fairly straightforward process, but there are several things you want to keep in mind before putting in a request.
Q1: I only have one production and dev environment. How can I get an on-premise instance?
A1: Contact your Account Team and request a developer license. This can be applied after you have installed the relevant version and build.
Q2: What resources are required to have an on-prem environment?
A2: Be sure to follow the system requirements for a dev machine
Q3: If I have issues installing and reading the archived data on my on-prem environment, who can help?
A3: Support will be the best effort
Q4: Can support help export the data via the UI or to SIEM before the archive process begins?
A4: No. This is not supported. If you need more assistance before submitting an archive ticket, please contact your Premium Customer Success or Account Team.
Q5: Can data be restored after the archive?
A5: Yes. However, that means the data will be taking up the same, or more, storage space. So archiving will still need to be done shortly after the restoration.
Q6: How long do you store archived data?
A6: 1 year
Q7: How long does the archive process take?
A7: It can take up to 1 hour
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
5 Likes | |
3 Likes | |
3 Likes | |
3 Likes | |
2 Likes |
User | Likes Count |
---|---|
11 | |
4 | |
3 | |
3 | |
2 |