Incident Management: Set a Retention Period for Alerts and Incidents

Document created by RSA Information Design and Development Employee on Oct 24, 2017Last modified by RSA Information Design and Development Employee on Jan 29, 2018
Version 2Show Document
  • View in full screen mode

Sometimes data privacy officers want to retain data for a certain period of time and then delete it. A shorter retention period frees up disk space sooner. In some cases, the retention period must be short. For example, laws in Europe state that sensitive data cannot be retained for more than 30 days. After 30 days, the data must be obfuscated or deleted.

Setting a retention period for data is an optional procedure. The time that Incident Management receives alerts and creates an incident determine when retention begins. Retention periods range from 30 to 365 days. If you set a retention period, one day after the period ends data is permanently deleted.

Retention is based on the time that IM receives the alerts and the incident creation time.

Caution: Data deleted after the retention period cannot be recovered.

When the retention period expires, the following data is permanently deleted:

  • Alerts
  • Incidents
  • Remediation tasks
  • Journal entries
  • Attachments for the above

Logs track retention and manual deletion so you can see what has been deleted. To see im.log, click Administration > Services. Select an Incident Management service and click View > Logs. To see audit logs, go to /opt/rsa/im/logs on Security Analytics server.

The feature does not apply to Archer or other third-party SOC tools. Alerts and incidents from other systems must be deleted separately.


The Administrator role must be assigned to you.


  1. In the Security Analytics menu, select Incidents > Configure.
    The Configure panel is displayed with the Aggregation Rules tab open.
  2. Select the Retention Scheduler tab.

  3. Select Enable data retention scheduler to delete incidents and alerts older than the retention period.
    The scheduler runs every 24 hours at 23:00.
  4. In the Retain incidents and alerts for field, select 30, 60, 90, 120 or 365 days or type any number.
  5. Click Apply.


Within 24 hours after the retention period ends, the scheduler permanently deletes all alerts and incidents older than the specified period from the Incident Management module. Journal entries and remediation tasks associated with the deleted incidents are also deleted.

You are here
Table of Contents > Automate the Incident Management Process > Set a Retention Period for Alerts and Incidents