NTA events are generated by detectors stored in postgres by nta-server. By default, these events are retained for 30 days after which they're deleted. On some customer environments, it may be desired to adjust this retention period.

In order to adjust the retention period, the nta-server configmap can be used to set a retention in days. 

SSP 5.0

NTA events are stored for 30 days past their last detection time. In environments which generate many NTA events, there may be a desire to reduce the retention to reduce storage consumption

Configuring Retention

Step 1: Access SSPI as root

Step 2: Edit the nta-server configmap, add or adjust the config nta.event.maxEventRetentionDays

Step 3: Restart the nta-server pod

The job is run in the nta-server pod and is triggered once daily at 3:00. The spring schedule string is "0 0 3 ? * * *".

The older events will still be in the system and visible until the job is run.

There is no way to adjust the schedule or trigger the job manually at this time. If events need to be purged immediately, follow the below steps.

Purging Old Events Immediately

Step 1: Access SSPI as root

Step 2: Navigate to the PG SQL Prompt

Step 3: Issue SQL query

delete from nta.event where last_detected_time < <epoch_timestamp in milli seconds>;

The output should be the number of rows deleted.