Alerts retention duration in Cortex XDR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Alerts retention duration in Cortex XDR

L0 Member

Hi !

Does anyone know how long alerts/incidents will be visible in Cortex XDR ?

In our tenant we have alerts older than 1 year and I was wondering if they disappear after some time or if they will be accessible forever but I can't find this information anywhere.

 

Thanks

1 accepted solution

Accepted Solutions

L5 Sessionator

By default, Cortex XDR will store a minimum of 30 days for EDR data as stated in the documentation here.

 

There is no enforcement for alerts wrt time right now. Instead,  it depends on the count of alerts (in millions). They will eventually disappear based on the number of alerts generated in the system, in a FIFO format. If there are regulatory/compliance requirements to store data, there are hot storage and cold storage SKU's to ensure data storage depending on the use case.

 

You can take a look at the Dataset Management table to see the current range of the data.

 

 

bbarmanroy_0-1658396070105.png

 

View solution in original post

1 REPLY 1

L5 Sessionator

By default, Cortex XDR will store a minimum of 30 days for EDR data as stated in the documentation here.

 

There is no enforcement for alerts wrt time right now. Instead,  it depends on the count of alerts (in millions). They will eventually disappear based on the number of alerts generated in the system, in a FIFO format. If there are regulatory/compliance requirements to store data, there are hot storage and cold storage SKU's to ensure data storage depending on the use case.

 

You can take a look at the Dataset Management table to see the current range of the data.

 

 

bbarmanroy_0-1658396070105.png

 

  • 1 accepted solution
  • 2984 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!