When deleting older incidents generated by a Discover scan will it impact incremental scans?

Once old incidents are deleted, is it not possible to start incremental scan as older incidents are not there?

Will it impact “already seen” information of incidents and start the scan from first rather than where it left last time as there is no incidents of last scan to refer?

If we delete those incidents the “incremental” scan is de facto not possible, so unless you confirm that deleting those incidents will not impact our capability to get the “already seen” info on events or our capability to launch incremental scans to speed up discovery.

Release : 15.7.x and 15.8.x

Component : Discover Detection Server

Incremental indexes are built off an index which is stored on disk. 

Incremental indexes are built off an index which is stored on disk.  This is what determines if a file gets scanned or not.  So this shouldn’t have anything to do with deleting incidents as this does not come into play.

Of course there are other factors that will come into play when doing the scan like if a file is changed or not but again, nothing to do with the incident itself.  So deleting an incident should have no impact here.

The area that affects how the incremental scans work and whether you should run a new full scan with or without incremental is whether policy changes in between scans. Incidents and their deletion are post full scan indexing.