As part of the Cortex XDR V. 3.5 release (planned for December 2022), Palo Alto Networks will start enforcing data retention according to your license entitlement.
Your base license provides you with 30 days of hot retention for all ingested data, as well as 180 days of hot retention for alert and incident data.
You can easily extend the retention period according to your needs by purchasing one of our period-based retention extension add-ons:
|
Retention Add-on |
Description |
|
Endpoint data hot retention |
An additional 30 days of hot storage for XDR ProEP/Cloud of the Endpoint-ingested data beyond the 30 days in the base license |
|
Other ingested data hot retention |
An additional 30 days of hot storage for XDR ProTB of the entire ingested data (excluding endpoints) beyond the 30 days in the base license |
|
Endpoint data cold retention |
An additional 30 days of cold storage for XDR ProEP/Cloud of the Endpoint-ingested data beyond the 30 days in the base license |
|
Other ingested data cold retention |
An additional 30 days of cold storage for XDR ProTB of the entire ingested data (excluding endpoints) beyond the 30 days in the base license |
By the end of September 2022, we will be introducing new retention add-ons enabling you to extend retention only for alerts and incidents data beyond the default 180 days
|
Retention Add-on |
Description |
|
Endpoint alerts and incidents hot retention |
An additional 30 days of storage for XDR ProEP/Cloud of Alerts & Incidents data beyond the 180 days in the base license |
|
Alerts and incidents (all other sources) hot retention |
An additional 30 days of storage for XDR ProTB of Alerts & Incidents data beyond the 180 days in the base license |
Q: When will Palo Alto Networks start to enforce retention?
A: Retention enforcement is planned as part of the GA release of Cortex XDR V. 3.5 (December 2022).
Q: What is the default retention period included in the base license?
A: Cortex XDR Pro per Endpoint, Cortex XDR Cloud per Host, Cortex XDR Pro per TB and XSIAM bundles include 30 days of hot retention for all ingested data (both EP and TB) as well as 180 days of hot retention for Alerts and Incidents data.
Q: What kind of data is covered by the alerts and incidents data retention add-on?
A: All alerts and incidents that were created within the retention period will be retained. This will include alerts and incidents metadata as well as alert causality chains (including process data and analytics profiles).
Q: Can I choose what kind of data to retain?
A: There is no per-dataset retention configuration at the moment, but customers can choose to extend retention for the entire ingested data or alerts and Incidents only (note that both can be combined for different retention periods). We plan to offer data retention per dataset in the future.
Q: Can extended retention be purchased in the middle of a contract or only upon renewal?
A: Retention add-ons are co-termed with the base license, and can be purchased at any time.
Q: How is data truncated? E.g: LIFO or FIFO
A: Data retention is period-based, and once the retention period elapses, data older than retention period is deleted (FIFO).
Q: Where can I find my retention entitlement?
A: Retention add-ons are listed under license details (Settings → Cortex XDR License). In addition, the retention period is also listed on the “Dataset” management screen (Settings → Configurations → Dataset Management).
You can find the latest updates regarding data retention in our FAQ here.
