Currently, our devices are unprotected state and partially protected state due to disk consumption.
Is the data in the cortex xdr incrementive or does it delete itself after sometime ?
What is the possible solution for this issue ?
How do we differentiate the disk consumption error is because of disk full in the user's system or is it because the space assigned for the cortex is filled?
HI @Shashanksinha the XDR data stored in the endpoint is limited to 5GB (default, and configurable in Agent Settings profiles). You can use standard IT Ops tools to monitor disk sizes, or leverage Live Terminal to do the same. When the quota for XDR agent is exhausted, the agent will automatically start removing older data. Enabling Forensics consumes significant storage, so be mindful of allocating more disk space accordingly (around 3-4GB additionally).
What you should look for is why the space is being filled up, and it could be attributed to being "noisy", i.e., with lots of alerts and incidents being triggered from that endpoint.
I'd first start off by allocating more disk space to the XDR agent on the affected endpoints to ensure operational stability, and then start investigating the root cause.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!