About data policies
Data policies help define data retention criteria for incoming data that is ingested and stored in the Intelligence Center.
Entities and observables matching the specified policy criteria are deleted when their retention period expires.
The process removes also any relationships that may be left dangling after removing entities and observables with relationships.
This approach enables setting up rules to handle ingested data, so that it complies with applicable norms and regulations concerning fair data management and privacy.
For example, GDPR-compliant countries enforce specific criteria to control data retention and PII data usage.
View policies
Policies are listed in Data configuration (
) > Policies.
Policy overview
In Data configuration (
) > Policies, select a policy to open it.
In the policy overview, we can see the following tabs:
|
Tab name |
Description |
|
Details |
Policy details |
|
Logs |
A list of policy runs and their status. |
|
History |
A list of when the policy was modified. |
The Details tab displays:
Status and schedule
|
Field name |
Description |
|
Policy status |
Shows if a policy is ENABLED, DISABLED, or Run manually (policy has no execution schedule). |
|
Last run |
Shows date, time, and status of the run. |
|
Execution schedule |
Shows this policy’s set schedule. |
|
Deleted items |
Shows the total number of items deleted by this policy. |
Metadata
|
Field name |
Description |
|
Created |
Date and time this policy was created. |
|
Last updated |
Date and time this policy was last modified. |
|
Description |
Shows the description for this policy. |
Scope
|
Field name |
Description |
|
Retention period |
Shows the retention period for this policy. |
|
Sources |
Shows the list of sources this policy is run against. |
Actions
|
Field name |
Description |
|
Delete entities |
Shows the types of entities this policy is run against. |
|
Delete observables |
Delete observables actions are skipped by default from 2.12.0 onwards because of performance issues. (Not recommended) To enable Delete observables actions, see Update the settings. Shows the types of observables this policy is run against. |
Exceptions
|
Field name |
Description |
|
Exceptions |
Shows the list of exceptions and whether they are enabled for this policy. |
|
Entities with these tags are excluded from the policy scope |
Shows the list of tags that are excluded from this policy. |