Symantec Endpoint Detection and Response regularly monitors the amount of data that you have in your internal databases. Symantec EDR performs this task to ensure that the database does not grow uncontrollably and consume too much disk storage space. When your database reaches a certain threshold, Symantec EDR automatically purges it.
Symantec EDR automatically performs the following types of database purges based on the following:
Symantec EDR performs a daily purge of your databases on the data over 6 months old, regardless of whether your storage space threshold is exceeded.
Storage space usage
Symantec EDR performs a check every 15 minutes on the size of your databases. It performs this function to ensure that your data does not exceed 85% of your storage space. If your data exceeds this threshold, Symantec EDR purges roughly 10 percent of your data beginning with the oldest records.
If your data exceeds the threshold, Symantec EDR logs a system activity event when this type of purge occurs. This event lists the types of database records that were deleted.
Symantec EDR only performs one type of purge at a time. Symantec EDR also only purges one type of data at a time until the storage space threshold is met. Database records are purged in the following order:
RRS (Reputation Request Score) events
Symantec EDR only retains RRS events for 30 days, regardless of whether your storage space threshold is exceeded.
Endpoint Activity Recorder dumps
Symantec EDR only retains your five most recently completed Endpoint Activity Recorder dumps
Completed, terminated, and in-progress commands (for example, saved searches and their results, or searches that are currently running)
Symantec EDR only retains your most recent 1000 commands, regardless of their age or whether your storage space threshold is exceeded. These commands include your most recent 900 non-search commands (for example, when you delete a file or quarantine an endpoint). They also include your most recent 100 search commands (for example, when you search for a suspicious file).
Security events, incidents, and system activity events