Allocate Log Storage for Cortex XDR
Cortex XDR licenses are based on Cortex Data Lake capacity. To view your licensed capacity, use the Customer Support Portal.
A Cortex XDR Prevent license grants you 30 days retention.
When you activate Cortex XDR, Cortex Data Lake assigns a default storage allocation for your logs and alerts. After you activate Cortex XDR, review and adjust your log storage allocation depending on your storage requirements.
Cortex Data Lake displays the current possible allocation but does not display the storage usage.
To allocate your log storage quota:
- Sign Into the Palo Alto Networks hub at https://apps.paloaltonetworks.com/.
- Select your Cortex Data Lake instance.If you have multiple Cortex Data Lake instances, select the Cortex Data Lake tile and then select the Cortex Data Lake instance from the list of available instances associated with your account.Cortex Data Lake displays the service status and your total logging storage capacity.
- SelectConfigurationto define logging storage settings.Cortex Data Lake displays the total storage allocated for the apps and services associated with the Cortex Data Lake instance.The Cortex Data Lake depicts your storage allocation graphically. As you adjust your storage allocation, the graphic updates to display the changes to your storage policy. The Cortex Data Lake storage policy specifies the distribution of your total storage allocated to each app or service and the minimum retention warning (not supported with Cortex XDR).
- Allocate quota for Cortex XDR.
- If you purchased quota for firewall logs, allocate quota to theFirewalllog type.To use the same Cortex Data Lake instance for both firewall logs and Cortex XDR logs, you must first associate Panorama with the Cortex Data Lake instance before you can allocate quota for firewall logs.
- Review your storage allocation forCortex XDRaccording to the formula:1TB for every 200 Cortex XDR Pro endpoints for 30 daysBy default, 80% of your available storage for Cortex XDR is assigned to logs and data, and 20% is assigned to alerts. It is recommended to review the status of your Cortex Data Lake instance after about two weeks of data collection and make adjustments as needed but to use the default allocations as a starting point.
- Applyyour changes.
- Monitor your data retention.Cortex XDR retains your endpoint data according to the allocated quota in Cortex XDR Data Lake. Make sure your data retention is sufficient for your environment.
- From Cortex XDR, navigate to.Cortex XDR License
- In theEndpoint XDR Data Retentionsection, review the following:
- Current number of days your data has been stored in Cortex XDR Data Lake. The count begins the as soon as you activate Cortex XDR.
- Number of retention days permitted according to the quota you allocated.
- If needed, update your Cortex XDR allocated quota.
Recommended For You
Recommended videos not found.