Symantec EDR endpoint search retention policy
Article ID: 266764
Updated On:
Products
Endpoint Detection and Response
Issue/Introduction
Endpoint searches, including failed searches, remain visible on the EDR appliance console for a long time.
Environment
EDR appliances
Cause
Purge retention is as designed.
Resolution
The Symantec EDR search result retention policy is as follows:
- Symantec EDR retains no more than 100 searches at a time.
- Some searches with Error State (red X icon), such as searches on empty groups, are exempt from the 100 count limit.
- No search, regardless of the state, remains for more than 180 days.
Feedback
Yes
No
Powered by
