How Symantec EDR purges data from the Symantec EDR database

Symantec Endpoint Detection and Response
regularly monitors the amount of data that you have in your internal databases.
Symantec EDR
performs this task to ensure that the database does not grow uncontrollably and consume too much disk storage space. When your database reaches a certain threshold,
Symantec EDR
automatically purges it.
Symantec EDR
automatically performs the following types of database purges based on the following:
  • Retention period
    • Symantec EDR
      performs a daily purge of your databases on the data over 6 months old, regardless of whether your storage space threshold is exceeded.
    • Endpoints are purged 6 months after the
      last_seen
      date.
    • An emergency purge occurs when Endpoints with the oldest
      last_seen
      date are purged first until the disk reaches 75% disk space or less. The emergency purge check frequency is every 15 minutes.
    • Offline endpoints are purged from Symantec EDR based on the option in SEPM on the
      Admin > Domains > Default
      page on the
      General
      tab for
      Delete clients that have not connected for specified time
      .
    • Offline VDI endpoints are purged from Symantec EDR per the SEPM policies for VDI endpoints based on the option  in SEPM on the
      Admin > Domains > Default
      page on the
      General
      tab for
      Delete non-persistent VDI clients that have not connected for specified time
      .
    • Unenrolled endpoints are purged after 24 hours.
    • If purging is disabled on SEPM,
      Symantec EDR
      retains offline endpoints for a maximum of 45 days.
    • If the purging interval on SEPM is > 45 days,
      Symantec EDR
      retains offline endpoints for a maximum of 45 days.
  • Storage space usage
    Symantec EDR
    performs a check every 15 minutes on the size of your databases. It performs this function to ensure that your data does not exceed 85% of your storage space. If your data exceeds this threshold,
    Symantec EDR
    purges roughly 10 percent of your data beginning with the oldest records.
    If your data exceeds the threshold,
    Symantec EDR
    logs a system activity event when this type of purge occurs. This event lists the types of database records that were deleted.
Symantec EDR
only performs one type of purge at a time.
Symantec EDR
also only purges one type of data at a time until the storage space threshold is met.
Purge policies
Type
Non-emergency retention policy
Emergency purge policy
Emergency purge setting
Priority¹
RRS
Retains last 30 days
Day-by-day
Retains last 1 day
Low
Data activity recorder - full dump
Retains last 180 days or last 10 dumps
By count
Retains last 5 dumps
Low
Commands
Retains last 180 days
Day-by-day
Retains last 15 days
Medium
Retains last 180 days
Count
Retains last 100 search commands
Retains last 7500 non-search commands (for example, when you delete a file or quarantine an endpoint)
Medium
Non-
ECC
events
Retains last 180 days
Day-by-day
Retains last 1 day
High
System activity
Retains last 180 days
Day-by-day
Retains last 30 days
High
ECC
events
Retains last 180 days
Day-by-day
Retains last 1 day
High
Incidents
Retains last 180 days
Day-by-day
Retains last 15 days
High
Symantec EDR
database
Retains last 180 days
Count
  • 8880 appliance
    200 million documents
  • Virtual machine
    135 million documents
  • 8840 appliance
    70 million documents
High
¹ In emergency purges, low priority types are purged first, then medium priority types, then high priority types.