Allocate Log Storage for Cortex XDR

Cortex XDR licenses are based on Cortex Data Lake capacity. To view your licensed capacity, use the Customer Support Portal.
You receive Cortex Data Lake log storage based on the amount of storage associated with your Cortex XDR Licenses. Generally, this capacity is determined by factors such as the size of your network and number of endpoints in your deployment.
Cortex XDR Pro per Endpoint and Cortex XDR Pro per TB licenses grant a daily ingestion quota of the number of TBs / 30 in addition to the same amount of TBs in storage.
For example: Cortex XDR Pro per TB 10
  • Daily ingestion quota calculated according to 10TB / 30 = 333GB
  • Storage = 10TB
To increase your capacity, contact your Palo Alto Network account representative.
When you activate Cortex XDR, Cortex Data Lake assigns a default storage allocation for your logs
, EDR data,
and alerts.
While some Cortex apps receive a default allocation, with a Cortex XDR Pro per TB license, you must manually allocate storage for firewall logs.
After you activate Cortex XDR, review and adjust your log storage allocation depending on your storage requirements.
Cortex Data Lake displays the current possible allocation but does not display the storage usage.
To allocate your log storage quota:
  1. Sign In
    to the Palo Alto Networks hub at https://apps.paloaltonetworks.com/.
  2. Select your Cortex Data Lake instance.
    If you have multiple Cortex Data Lake instances, select the Cortex Data Lake tile and then select the Cortex Data Lake instance from the list of available instances associated with your account.
    Cortex Data Lake displays the service status and your total logging storage capacity.
  3. Select
    Configuration
    to define logging storage settings.
    Cortex Data Lake displays the total storage allocated for the apps and services associated with the Cortex Data Lake instance.
    The Cortex Data Lake depicts your storage allocation graphically. As you adjust your storage allocation, the graphic updates to display the changes to your storage policy. The Cortex Data Lake storage policy specifies the distribution of your total storage allocated to each app or service and the minimum retention warning (not supported with Cortex XDR).
  4. Allocate quota for Cortex XDR.
    1. If you purchased quota for firewall logs, allocate quota to the
      Firewall
      log type.
      To use the same Cortex Data Lake instance for both firewall logs and Cortex XDR logs, you must first associate Panorama with the Cortex Data Lake instance before you can allocate quota for firewall logs.
    2. Review your storage allocation for
      Cortex XDR
      according to the formula:
      1TB for every 200 Cortex XDR Pro endpoints for 30 days
      By default, 80% of your available storage for Cortex XDR is assigned to logs and data, and 20% is assigned to alerts. It is recommended to review the status of your Cortex Data Lake instance after about two weeks of data collection and make adjustments as needed but to use the default allocations as a starting point.
      Use the Cortex Data Lake Calculator to calculate how many logs are ingested and add additional TBs accordingly.
  5. Apply
    your changes.
  6. Monitor your data retention.
    Cortex XDR retains your endpoint data according to the allocated quota in Cortex XDR Data Lake. Make sure your data retention is sufficient for your environment.
    By default, Cortex XDR will not remove data less than 30 days, however you must allocate the quotain order for Cortex XDR to support the retention.
    1. From Cortex XDR, navigate to
      gear.png
      Cortex XDR License
      .
    2. In the
      Endpoint XDR Data Retention
      section, review the following:
      license-cortex-xdr-retention.png
      • Current number of days your data has been stored in Cortex XDR Data Lake. The count begins the as soon as you activate Cortex XDR.
      • Number of retention days permitted according to the quota you allocated.
    3. If needed, update your Cortex XDR allocated quota.

Recommended For You