How are people handling the storage and retention of raw data? It
essentially doubles the storage requirements. I assume event_data is
processed data and raw_data is unprocessed original data. What need is
there to store the raw data, I assume it is from a forensics
perspective? Does not storing raw_data or reducing the retention of it
dramatically (say to 2-4 weeks from 90 days), will that impact searches
or reporting from within the Sentinel GUI?

Essentially I need to know the benefit of storing it before I make a
decision to remove it or reduce the retention of it.



rochfordp's Profile: https://forums.netiq.com/member.php?userid=6749
View this thread: https://forums.netiq.com/showthread.php?t=52628