About data policies

Data policies help define data retention criteria for incoming data that is ingested and stored in the Intelligence Center.

Entities and observables matching the specified policy criteria are deleted when their retention period expires.

The process removes also any relationships that may be left dangling after removing entities and observables with relationships.

This approach enables setting up rules to handle ingested data, so that it complies with applicable norms and regulations concerning fair data management and privacy.

For example, GDPR-compliant countries enforce specific criteria to control data retention and PII data usage.

View policies

Policies are listed in Data configuration (images/download/attachments/82474943/robot.svg-x24.png ) > Policies.

images/download/attachments/82474943/data-retention-policies-list.png

Policy overview

In Data configuration (images/download/attachments/82474943/robot.svg-x24.png ) > Policies, select a policy to open it.

In the policy overview, we can see the following tabs:

Tab name

Description

Details

Policy details

Logs

A list of policy runs and their status.

History

A list of when the policy was modified.

The Details tab displays:

Status and schedule

Field name

Description

Policy status

Shows if a policy is ENABLED, DISABLED, or Run manually (policy has no execution schedule).

Last run

Shows date, time, and status of the run.

Execution schedule

Shows this policy’s set schedule.

Deleted items

Shows the total number of items deleted by this policy.

Metadata

Field name

Description

Created

Date and time this policy was created.

Last updated

Date and time this policy was last modified.

Description

Shows the description for this policy.

Scope

Field name

Description

Retention period

Shows the retention period for this policy.

Sources

Shows the list of sources this policy is run against.

Actions

Field name

Description

Delete entities

Shows the types of entities this policy is run against.

Delete observables

Delete observables actions are skipped by default from 2.12.0 onwards because of performance issues.

(Not recommended) To enable Delete observables actions, see Update the settings.

Shows the types of observables this policy is run against.

Exceptions

Field name

Description

Exceptions

Shows the list of exceptions and whether they are enabled for this policy.

Entities with these tags are excluded from the policy scope

Shows the list of tags that are excluded from this policy.