Windows Event Log Retention

While Tenable Identity Exposure strives to process as many Windows event logs as possible to support the security analysis within the Indicator of Attack feature, there are technical limitations, such as available memory on the machine running the services.

The default global retention period is 5 minutes. However, specific Windows event logs have extended retention periods to mitigate correlation issues that the security engine might encounter:

• SYSMON 5722 and 5723: Retained for 6 hours.

• Microsoft-Windows-Security-Auditing/4624: The retention period for this log is dynamic, as it is heavily used in Indicators of Attack for both detection and correlation. The system adjusts retention based on memory usage to balance event processing with system resources:

  • First hour: The security analysis service applies the default retention period of 5 minutes.

  • After the first hour, the system evaluates the remaining memory and adjusts retention as follows:

    • If available memory is over 50%: 1 day.

    • If available memory is 35%-50%: 6 hours.

    • If available memory is 20%-35%: 1 hour.

    • If available memory is 10%-20%: 10 minutes.

    • If available memory is below 10%: The default 5 minutes.

This dynamic approach ensures that the system can manage incoming events efficiently while maintaining adequate memory for security analysis.