Allocate Log Storage for Cortex XDR

Cortex XDR licenses are based on Cortex Data Lake capacity. To view your licensed capacity, use the Customer Support Portal.
You receive Cortex Data Lake log storage based on the amount of storage associated with your Cortex® XDR™ Licenses. Generally, this capacity is determined by factors such as the size of your network and number of endpoints in your deployment.
You must be an assigned an Instance Administrator or higher role to for Cortex Data Lake to manage logging storage.
There are three types of Pro licenses.
  • Cortex XDR Pro per Endpoint (PAN-XDR-ADV-EP)
    —Grants ingestion and 30 days retention. If you want to save more than 30 days of endpoint data, you need to obtain more retention (PAN-XDR-RTN-TB).
  • Cortex XDR Cloud per Host (PAN-XDR-ADV-EP-CLOUD)
    —Grants ingestion and 30 days retention. If you want to save more than 30 days of cloud data, you need to obtain more retention (PAN-XDR-RTN-TB).
  • Cortex XDR Pro per TB
    , which is structured as follows.
      —Where each license adheres to the following guidelines.
      • Allows ingesting up to 1 TB per month and no more than 33GB per day.
      • Enables storing 1TB of data.
      The Cortex XDR Agent and Cortex XDR Stitched data is not counted against your daily ingestion quota.
      —For retention enforcement, each license allows the storage of 1TB of data.
    For a Cortex XDR Pro per TB license, your daily ingestion limit is your PAN-XDR-ADV-1TB license divided by 30. For example, if you purchased 90 PAN-XDR-ADV-1TB, you are allowed to ingest up to 3 TB per day. Your retention limit is your PAN-XDR-ADV-1TB license + PAN-XDR-RTN-1TB license. For example, if you purchased 9 PAN-XDR-ADV-1TB and 6 PAN-XDR-RTN-1TB, your retention capacity will be 15 TB.
To increase your capacity, contact your Palo Alto Network account representative.
When you activate Cortex XDR, Cortex Data Lake assigns a default storage allocation for your logs
, EDR data,
and alerts.
While some Cortex apps receive a default allocation, with a Cortex XDR Pro per TB license, you must manually allocate storage for firewall logs.
After you activate Cortex XDR, review and adjust your log storage allocation depending on your storage requirements.
Cortex Data Lake displays the current possible allocation but does not display the storage usage.
To allocate your log storage quota:
  1. Sign In
    to the Palo Alto Networks hub at
  2. Select your Cortex Data Lake instance.
    If you have multiple Cortex Data Lake instances, select the Cortex Data Lake tile and then select the Cortex Data Lake instance from the list of available instances associated with your account.
    Cortex Data Lake displays the service status and your total logging storage capacity.
  3. Select
    to define logging storage settings.
    Cortex Data Lake displays the total storage allocated for the apps and services associated with the Cortex Data Lake instance.
    The Cortex Data Lake depicts your storage allocation graphically. As you adjust your storage allocation, the graphic updates to display the changes to your storage policy. The Cortex Data Lake storage policy specifies the distribution of your total storage allocated to each app or service and the minimum retention warning (not supported with Cortex XDR).
  4. Allocate quota for Cortex XDR.
    1. If you purchased quota for firewall logs, allocate quota to the
      log type.
      To use the same Cortex Data Lake instance for both firewall logs and Cortex XDR logs, you must first associate Panorama with the Cortex Data Lake instance before you can allocate quota for firewall logs.
    2. Review your storage allocation for
      Cortex XDR
      according to the formula:
      1TB for every 200 Cortex XDR Pro endpoints for 30 days
      By default, 80% of your available storage for Cortex XDR is assigned to logs and data, and 20% is assigned to alerts. It is recommended to review the status of your Cortex Data Lake instance after about two weeks of data collection and make adjustments as needed but to use the default allocations as a starting point.
      Use the Cortex Data Lake Calculator to calculate how many logs are ingested and add additional TBs accordingly.
  5. Apply
    your changes.
  6. Monitor your data retention.
    Cortex XDR retains your endpoint data according to the allocated quota in Cortex XDR Data Lake. Make sure your data retention is sufficient for your environment.
    By default, Cortex XDR will not remove data less than 30 days, however you must allocate the quotain order for Cortex XDR to support the retention.
    1. From Cortex XDR, select
      Settings ( )
      Cortex XDR License
    2. In the
      Endpoint XDR Data Retention
      section, review the following:
      • Current number of days your data has been stored in Cortex XDR Data Lake. The count begins the as soon as you activate Cortex XDR.
      • Number of retention days permitted according to the quota you allocated.
    3. If needed, update your Cortex XDR allocated quota.

Recommended For You