Cortex XDR Licenses

Cortex XDR License Types

The following table describes the different license types that are available for Cortex XDR. If you do not know which license type you have, see License Monitoring.
Feature
Cortex XDR Prevent
Cortex XDR Pro per Endpoint
Cortex XDR Pro per TB
license-cortex-xdr-prevent.png
license-cortex-xdr-pro-endpoint.png
license-cortex-xdr-pro-network.png
Log storage
  • Minimum of 200 endpoints
  • 30 day log retention
  • Minimum of 200 endpoints
  • 30 day log retention
Minimum 5TB log storage
Endpoint management
check-mark.png
check-mark.png
EDR data collection
check-mark.png
Analytics
check-mark.png
check-mark.png
Device control
check-mark.png
check-mark.png
Script execution
check-mark.png
Host firewall
check-mark.png
check-mark.png
Disk encryption
check-mark.png
check-mark.png
Third-party alerts
check-mark.png
(API)
check-mark.png
External log ingestion
check-mark.png
Outbound integration and notification forwarding (Slack, Syslog)
check-mark.png
+ agent audit logs
check-mark.png
+ agent audit logs
check-mark.png

License Allocation

With Cortex XDR Prevent and Cortex XDR Pro per Endpoint licenses, Cortex XDR manages licensing for all endpoints in your organization. Each time you install a new Cortex XDR agent on an endpoint, the Cortex XDR agent registers with Cortex XDR to obtain a license. In the case of non-persistent VDI, the Cortex XDR agent registers with Cortex XDR as soon as the user logs in to the endpoint.
Cortex XDR issues licenses until you exhaust the number of license seats available. Cortex XDR also enforces a license cleanup policy to automatically return unused licenses to the pool of available licenses. The time at which a license returns to the license pool depends on the type of endpoint:
Endpoint Type
License Return
Agent Removal from Cortex XDR
Standard and mobile devices
  • The Cortex XDR agent is uninstalled.
  • The Cortex XDR agent is disconnected from Cortex XDR for more than 30 days.
1 year
(Non-Persistent) VDI
  • The Cortex XDR agent is uninstalled.
  • The Cortex XDR agent is disconnected from Cortex XDR for more than 90 minutes.
  • The user logs off or ends the session.
7 days
Temporary Session
  • The Cortex XDR agent is uninstalled.
  • The Cortex XDR agent is disconnected from Cortex XDR for more than 90 minutes.
7 days
If after a license is revoked the agent connects to Cortex XDR, reconnection will succeed as long as the agent has not been deleted.
It can take up to an hour for Cortex XDR to display revived endpoints.
Cortex XDR will notify you if you exceed the number of available licenses.

License Expiration

After your Cortex XDR license expires, Cortex XDR allows access to your tenant for an additional grace period of 48 hours. After the 48-hour grace period, Cortex XDR disables access to the Cortex XDR app until you renew the license.
For the first 30 days of your expired license, Cortex XDR continues to protect your endpoints and/or network and retains data in the Cortex Data Lake according to your Cortex Data Lake data retention policy and licensing. After 30 days the tenant is decommissioned.

License Monitoring

From the
gear.png
Cortex XDR License
dialog, you can view the license type associated with your Cortex XDR instance.
license-info.png
For each license you have, Cortex XDR displays a tile that has the expiration date of your license and additional details specific to your license type:
  • Cortex XDR Prevent—Displays the total number of concurrent agents permitted by your license. You can also view a graph of the current license allocation (total and percentage).
  • Cortex XDR Pro per Endpoint—Displays the total number of installed in addition to the number and percentage of agents that have EDR data collection enabled. Below the license card, you can also view the storage retention policy, total amount of storage allocated for endpoint XDR, and the actual data usage.
  • Cortex XDR Pro per TB—Displays the amount of total storage included with your license and the amount of storage used.
  • Combination of Cortex XDR Pro per Endpoint and Cortex XDR Pro per TB—Cortex XDR Pro per Endpoint displays the total number of installed agents, while Cortex XDR Pro per TB displays how many agents are enabled with endpoint data collection, allowing them to collect and send data to the server.
Cortex XDR will send you a notification if you exceed the number of allowed agents.
To keep you informed of updates made to your license and avoid service disruptions, Cortex XDR now displays a notification of changes made to your license when you log in. If any actions are required from you

Recommended For You