Set a Retention Period for Alerts and Incidents

Sometimes data privacy officers want to retain data for a certain period of time and then delete it. A shorter retention period frees up disk space sooner. In some cases, the retention period must be short. For example, laws in Europe state that sensitive data cannot be retained for more than 30 days. After 30 days, the data must be obfuscated or deleted.

Setting a retention period for data is an optional procedure. The time that NetWitness Respond receives alerts and creates an incident determine when retention begins. Retention periods range from 30 to 365 days. If you set a retention period, one day after the period ends data is permanently deleted.

Retention is based on the time that NetWitness Respond receives the alerts and the incident creation time.

Caution: Data deleted after the retention period cannot be recovered.

When the retention period expires, the following data is permanently deleted:

  • Alerts
  • Incidents
  • Tasks
  • Journal entries

Logs track retention and manual deletion so you can see what has been deleted. You can view Respond Server logs in the following locations:

  • Respond Server Service log: /var/log/netwitness/respond-server/respond-server.log
  • Respond Server Audit log: /var/log/netwitness/respond-server/respond-server.audit.log

The data retention period that you set here does not apply to Archer or other third-party SOC tools. Alerts and incidents from other systems must be deleted separately.


The Administrator role must be assigned to you.


  1. Go to netwitness_adminicon_25x22.png (Admin) > Services, select the Respond Server service, and then select netwitness_ic-actns.png > View > Explore.
  2. In the Explore view node list, select respond/dataretention.
  3. In the enabled field, select true to delete incidents and alerts older than the retention period.
    The scheduler runs every 24 hours at 23:00.
    You will see a notice that the configuration was successfully updated.
  4. In the retention-period field, type the number of days to retain incidents and alerts. For example, type 30 DAYS, 60 DAYS, 90 DAYS, 120 DAYS, 365 DAYS, or any number of days.
    A message informs you that the configuration was successfully updated.


Within 24 hours after the retention period ends, the scheduler permanently deletes all alerts and incidents older than the specified period from NetWitness Respond. Journal entries and tasks associated with the deleted incidents are also deleted.