cancel
Showing results for 
Search instead for 
Did you mean: 
mattv
Level 8

Host DLP - Keeping Incidents Longer than One Year

We have DLP 9.3 deployed to our endpoints and as configrued we are keeping logs fo all files written to removable media for 1 year. Now that we've had it out there for awhile, we're interested in starting to keep records of these incidents longer, perhaps indefinitely.  Can anyone point me in the right direction?  It seems any search terms I can come up with to phrase this question are so generic I've had no luck searching the forum or Google.

0 Kudos
3 Replies
willsonlebig
Level 11

Re: Host DLP - Keeping Incidents Longer than One Year

Hello mattv,

After 1 year, you never see the incidents?

Do you want to backup old incidents?

Please tell us exactly the issue you are facing with DLP 9.3 and then what you would like DLP 9.3 to do for you.

0 Kudos
tonyw
Level 12

Re: Host DLP - Keeping Incidents Longer than One Year

How many records in the database are we talking about for retention?

Does your security needs really require you to keep incident data for longer than 6 months or a year?  There's no reason it wouldn't work to keep the data in the database and on the evidence share; your only limit would be how much resources are you going to be able to throw to your SQL server and evidence server.

0 Kudos
bphang
Level 10

Re: Host DLP - Keeping Incidents Longer than One Year

By default, Host DLP solution does not purge incidents unless you tell it to do so [DLP Policy Manager - [ very bottom left ] Database Administration ] ]

Just be ready to have infinite space for your SQL DB and Evidence store and you will be ok

0 Kudos