Create data policies#

To create a data retention policy:

Go to Data configuration () > Policies.
Select + (Create retention policy).

Then in the Create retention policy panel that opens, fill out fields in these sections:

Note

Required fields are marked with an asterisk (*).

General #

Field name	Description
Name*	Set the name for this policy
Policy description	Set a description for this policy
Enable after saving	Select to enable this policy after saving.

Actions #

Set an action for the policy to perform when run. You can set 1 action per policy.

Warning

Actions set here are irreversible once performed by the policy.

Delete entities #

Set this policy to delete targeted entities.

In the Entity types* field, select one or more entity types to target with the policy.

When a policy with a set Delete entities action runs, it deletes all entities:

that have the set Entity types
that are within the set Scope

Note

Delete entities policies do not delete observables related to entities targeted by this policy. They are left behind as orphaned observables. The policy will target orphaned observables in a future release.

../../../../_images/delete-entities.svg.png

Delete observables and related entities #

Set this policy to delete targeted observables, and their directly related entities and observables.

You can select the following options:

Note

Required fields are marked with an asterisk (*).

Field name	Description
Include Observable types*	Select one or more observable types. Only observables with these types are deleted.
Include related Entity types	Select one or more entity types. If at least one entity type is selected, only entities of the selected types are deleted by this policy. If no entity types are selected, no entities will be deleted by this policy.

Field name

Description

Include Observable types*

Select one or more observable types. Only observables with these types are deleted.

Include related Entity types

Select one or more entity types. If at least one entity type is selected, only entities of the selected types are deleted by this policy.

If no entity types are selected, no entities will be deleted by this policy.

When a policy with this action runs, it deletes all observables:

that have the observable type set in Include Observable types
entities that are directly related to the observable that match options set in Include related Entity types
that are within the set Scope
related observables that have the target observable as their only relation

Delete observables and related entities policy action#

Delete incoming feeds packages #

Set this policy to delete all packages downloaded by incoming feeds within the set scope.

Incoming feeds store raw data downloaded from the sources that they integrate with. These packages are available in the Downloaded packages tab of an incoming feed.

Removing downloaded packages from an incoming feed means that:

Download original for entities ingested by that feed are no longer available
Reingest failed to reingest failed packages are no longer available, unless Exclude packages that are not ingested with success is selected for this policy.

Delete outgoing feeds packages #

Set this policy to delete all packages created by outgoing feeds within the set scope.

Outgoing feeds create packages when they run. These packages are subsequently distributed according to the transport type configuration. These packages are available in the Created packages tab of an outgoing feed.

Removing created packages from an outgoing feed means that:

For the defined scope of this policy, previously delivered packages are no longer available.
Historically delivered packages are no longer available.

Note

If you find that this policy has removed certain packages that a recipient still expects to retrieve, you must re-run the feed to create the packages again, or create a new feed.

To have a feed re-pack and create all packages for their selected datasets, use the REPLACE update strategy and run the feed.

Scope #

You can set one scope per policy.

Field name	Description
Delete after*	Enter a number. Depends on Period and Starting from fields.
Period*	Sets the length of time that the Delete after field would indicate. Select a period of time: `Days` `Weeks` `Months` `Years`
Starting from*	Sets the parameter from which this policy’s scope is measured. Select one of the following: `Ingestion`: Starts counting from the date and time a given object is ingested. `Update`: Starts counting from the date and time a given object was last updated. (Only for Delete entities action) `Estimated threat start time` : Starts counting from the date and time a threat is estimated to have become active. `Estimated threat end time` : Starts counting from the date and time a threat is estimated to cease being active. `Estimated observed time` : Starts counting from the date and time the threat is estimated to have been observed. For more information, see time estimates for entities.
Sources*	(Only for actions: Delete entities, Delete observables and related entities) Select at least one source. This policy only targets entities and observables belonging to these sources.
Feeds*	(Only for actions: Delete incoming feeds packages, Delete outgoing feeds packages) Select one or more feeds. This policy only targets packages belonging to these feeds.

Exceptions #

Set exceptions for this policy.

Exceptions for Delete entities and Delete observables and related entities actions #

Field name	Description
Exclude data in static datasets	Select to exclude objects that are part of at least one static dataset (a dataset without Dynamic enabled).
Exclude data in user tasks	Select to exclude objects that are included in at least one user task ().
Exclude data in workspace public dashboards	Select to exclude objects that are pinned to the dashboards of at least one Listed or public workspace.
Exclude master entities in entity rules	Select to exclude entities that are set as Master entities in entity rules that perform a Merge similar operation.
Exclude draft entities	(Not available)
Exclude entities with these tags	Select one or more tags. Entities with these tags are not targeted by this policy.

Exceptions for Delete incoming feed packages action #

Field name	Description
Exclude packages that are not ingested with success	Select to exclude packages that do not have a Success state (i.e. were not ingested successfully).
Exclude packages that are in progress of ingestion	Select to exclude packages that are being processed and ingested at the time of policy run.

Exceptions for Delete outgoing feeds packages action #

Field name	Description
Exclude packages that are not created successfully	Select to exclude packages that do not have a Success state (i.e. were not created successfully).
Exclude packages that are in progress of creation	Select to exclude packages that are being processed and created at the time of policy run.

Schedule #

Field name	Default	Description
Execution schedule	`None`	Set how frequently this policy should run.

Save the policy #

Once done, you can:

Save and run now: Select to save the policy and immediately run it.
Save: Saves the policy.