Manage Logging Storage for Cortex XDR

Cortex XDR licenses are based on Cortex Data Lake capacity. To view your licensed capacity, use the Customer Support Portal.
Cortex XDR licenses are purchased based on Cortex Data Lake capacity. Generally, this capacity is determined by factors such as the size of your network and number of endpoints in your deployment. To increase your capacity, contact your Palo Alto Network account representative.
When you activate your Cortex XDR apps, your log storage is unallocated. To allocate your log storage quota:
  1. Sign In to the Cortex hub at https://apps.paloaltonetworks.com/.
  2. Select your Cortex Data Lake instance.
    If you have multiple Cortex Data Lake instances, select the Cortex Data Lake tile and then select the Cortex Data Lake instance from the list of available instances associated with your account.
    Cortex Data Lake displays the service status and your total logging storage capacity.
  3. Select Configuration to define logging storage settings.
    Cortex Data Lake displays the total storage allocated for the apps and services associated with the Cortex Data Lake instance. The Cortex Data Lake displays this information graphically and adjusts the graphic based on the storage policy you define below. The Cortex Data Lake storage policy specifies the distribution of your total storage allocated to each app or service and the minimum retention warning (not supported with Traps management service).
  4. Allocate quota for each app and service.
    log-quota-allocation.png
    Use the arrows to increment or decrement existing allocations or enter a new quota percentage.
    You cannot exceed 100% log storage allocation. If your total allocated quota is already at 100% for other non-Cortex XDR apps or services, reduce the quota for those apps or services to free up storage.
    1. If you purchased quota for firewall logs, allocate quota to the Firewall log type.
      To use the same Cortex Data Lake instance for both firewall logs and Traps logs, you must first associate Panorama with the Cortex Data Lake instance before you can allocate quota for firewall logs.
    2. If you purchased quota for Traps logs, allocate quota to the Traps log type.
      While the distribution of Traps logs depends on your storage needs, a good starting point is to allocate Traps logs as recommended for Traps management service. It’s recommended to review the status of your Cortex Data Lake instance after about two weeks of data collection and make adjustments as needed.
    3. Allocate quota to the Cortex XDR – Investigation and Response log type.
      Because Cortex XDR – Investigation and Response alerts do not require a lot of storage, you typically need to allocate less than 1% of your total allocated storage.
    4. Allocate quota to the Cortex XDR – Analytics log type.
      Cortex XDR – Analytics alerts also do not require a lot of storage, so you can similarly allocate less than 1% of your total allocated storage for analytics alert logs.
  5. Apply your changes.

Related Documentation