Windows Event Log Retention

While Tenable Identity Exposure strives to process as many Windows event logs as possible to support the security analysis within the Indicator of Attack feature, there are technical limitations, such as available memory on the machine running the services.

The default global retention period is 5 minutes. However, specific Windows event logs have extended retention periods to mitigate correlation issues that the security engine might encounter:

  • SYSMON 5722 and 5723: Retained for 6 hours.

  • Microsoft-Windows-Security-Auditing/4624: The retention period for this log is dynamic, as it is heavily used in Indicators of Attack for both detection and correlation. The system adjusts retention based on memory usage to balance event processing with system resources:

    • First hour: The security analysis service applies the default retention period of 5 minutes.

    • After the first hour, the system evaluates the remaining memory and adjusts retention as follows:

      • If available memory is over 50%: 1 day.

      • If available memory is 35%-50%: 6 hours.

      • If available memory is 20%-35%: 1 hour.

      • If available memory is 10%-20%: 10 minutes.

      • If available memory is below 10%: The default 5 minutes.

This dynamic approach ensures that the system can manage incoming events efficiently while maintaining adequate memory for security analysis.

On-Premises Environments

For on-premises environments, you can customize the default retention period for event logs, as follows:

Set the environment variable: ALSID_CASSIOPEIA_EVENT_LOGS_STORAGE_Application__DefaultRetentionInMinutes on the machine hosting the EventLogsStorage service.

You can increase this value beyond the default 5 minutes. However, it’s important to note that this change will not affect the specific retention rules for the three event logs mentioned earlier (SYSMON 5722, 5723, and Security-Auditing/4624).

Additionally, the system reserves 4GB of memory by default to maintain global stability. You can modify this threshold using the environment variable ALSID_CASSIOPEIA_EVENT_LOGS_STORAGE_Application__MinimumAvailableMemoryInMiB on the machine hosting the EventLogsStorage service.