There are many benefits to being a hosted XSOAR customer, such as offloading the care and feeding of the XSOAR environment. That being the case, it does require a different process when the time comes to archive the data to prevent slow performance or running out of storage. In this blog we will review how to Archive and Retrieve your data, highlight best practices, recommendations and FAQs.
NOTE: This blog applies only to XSOAR 6 >. The XSOAR 8 process will be published at a later time.
Hosted customers will be notified when they have reached 80% of their storage capacity. It is recommended that a plan be developed to export the data at this time. Another notification will be sent when you have reached 90% of your storage capacity, and action should be taken immediately.
There are multiple ways you can store your incident data:
- Export via API
- Export via the UI
- Export via SplunkHEC or other SIEM
- Load exported data into a temporary On-Premises environment
Once you have determined how you are going to store and view your archive data, you need to submit a request to support by doing the following:
- Open a support case: https://support.paloaltonetworks.com
- Title the case ‘Archive [Environment Name] Data’
- Note the following In the body of the case:
- What to Archive
Request the specific monthly range you want to archive. Example: Please archive data from January 2022 - December 2022
- When do you want it to happen
Let support know If you require a specific archive window. Unless requested, the archive process will take place during the standard maintenance period, Sunday, 10AM IDT/UTC +2. The expected downtime is ~1 hour
- Request the backup Data
If you want an on-prem reader solution, specify that you would like to receive a back-up of archived data. A download link will be provided to you after the archive process is complete
Things to Consider
Archiving your hosted data is a fairly straightforward process, but there are several things you want to keep in mind before putting in a request.
- Audits: Do you have any upcoming audits? If so, what data will the auditors need?
- Artifacts: Do you need to archive artifacts? We only archive Incident data, not artifacts. While not common, there are times when the artifact data is taking up most of the space. If you plan to export incident data via API/GUI/SIEM, there is no way to link it to associated artifacts. You may want to consider a temporary on-prem solution, or plan to store your artifacts separately from your incident data.
- Data: If you receive the archived data from support, it can only be read in an XSOAR environment running on the same version and build installed at the time that you archived the data. It is HIGHLY recommended you download and store the relevant version during the installation process. It may not be available after a period of time.
Q1: I only have one production and dev environment. How can I get an on-premise instance?
A1: Contact your Account Team and request a developer license. This can be applied after you have installed the relevant version and build.
Q2: What resources are required to have an on-prem environment?
A2: Be sure to follow the system requirements for a dev machine.
Q3: If I have issues installing and reading the archived data on my on-prem environment, who can help?
A3: Support will be the best effort.
Q4: Can support help export the data via the UI or to SIEM before the archive process begins?
A4: No. This is not supported. If you need more assistance before submitting an archive ticket, please contact your Premium Customer Success or Account Team.
Q5: Can data be restored after the archive?
A5: Yes. However, that means the data will be taking up the same, or more, storage space. So archiving will still need to be done shortly after the restoration.
Q6: How long do you store archived data?
A6: 1 year.
Q7: How long does the archive process take?
A7: It can take up to 1 hour.