Is there a retention setting in Information Centric Analytics (ICA) for Data In Motion (DIM) incidents imported from Symantec Data Loss Prevention (DLP)? Does the portal setting 'Number of days of data in LDW_EventDetail' apply to DIM events?

Release : 6.x

Component : Symantec Data Loss Prevention Integration Pack

The portal settings 'Number of days of data in LDW_EventDetail' and 'Number of days of data in LDW_EventDetailArchive' only apply to Unified Event (UE) types:

• Authentication (AE)
• Endpoint (EP)
• Web Activity (WA)

By design, DIM incidents imported from DLP are archived in ICA once they are deleted in the source system. When an incident is deleted in DLP, it is marked as archived in the RiskFabric relational database and is no longer included in the following:

• DIM incident measures in the cube
• Normality scoring
• Risk scoring
• Event scenario instances
• Risk model instances

Archived incidents are also no longer visible in the Risk Fabric console.

If DIM incidents and their related information need to be purged from ICA, contact Broadcom Support for assistance.