I'm looking for a way to set up the retention buckets to remove data from log sources that have been deleted. I believe the data will still be available until the retention timelines have been met.

Any help would be appreciated.

------------------------------
JThur
------------------------------

Can you make the question more precise? What type of data would you like to remove? Do you mean log events?
How did you delete the data?
The retention buckets are used to remove the log events after a period of time. What are you experiencing? Are the data not being removed?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Tue December 08, 2020 12:56 PM
From: JThur
Subject: Set retention buckets to remove deleted log sources

I'm looking for a way to set up the retention buckets to remove data from log sources that have been deleted. I believe the data will still be available until the retention timelines have been met.

Any help would be appreciated.

------------------------------
JThur
------------------------------

Hi J.

You believe right, the data are given a note as to when they should be deleted at the moment they arrive at QRadar. If you change the retention timeline in buckets, this only affects data received by QRadar from the moment of the change and after, not before.

It is not intended to delete data from QRadar manually.However, there is a solution, thanks to the GDPR, IBM must give the possibility to delete personal data in QRadar before the retention time has expired. We have already tested this successfully. However, it is quite complicated.

It is possible to delete any data with this procedure, even from log sources that have been removed.
If you would like more details, please contact me directly.

------------------------------
Kind regards
Oliver
------------------------------

Original Message:
Sent: Tue December 08, 2020 12:56 PM
From: JThur
Subject: Set retention buckets to remove deleted log sources

I'm looking for a way to set up the retention buckets to remove data from log sources that have been deleted. I believe the data will still be available until the retention timelines have been met.

Any help would be appreciated.

------------------------------
JThur
------------------------------

I was not aware the retention bucket information was tagged to events upon arrival. I would be interested in more details about removing data from QRadar.

------------------------------
JThur
------------------------------

Original Message:
Sent: Wed December 09, 2020 03:15 AM
From: Oliver Braun
Subject: Set retention buckets to remove deleted log sources

Hi J.

You believe right, the data are given a note as to when they should be deleted at the moment they arrive at QRadar. If you change the retention timeline in buckets, this only affects data received by QRadar from the moment of the change and after, not before.

It is not intended to delete data from QRadar manually.However, there is a solution, thanks to the GDPR, IBM must give the possibility to delete personal data in QRadar before the retention time has expired. We have already tested this successfully. However, it is quite complicated.

It is possible to delete any data with this procedure, even from log sources that have been removed.
If you would like more details, please contact me directly.

------------------------------
Kind regards
Oliver

Original Message:
Sent: Tue December 08, 2020 12:56 PM
From: JThur
Subject: Set retention buckets to remove deleted log sources

I'm looking for a way to set up the retention buckets to remove data from log sources that have been deleted. I believe the data will still be available until the retention timelines have been met.

Any help would be appreciated.

------------------------------
JThur
------------------------------

Hi Oliver:
I would also be interested in knowing how you do it. Can you please share that information here? This is why we have a community. It is to share info!

Thanks

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Wed December 09, 2020 03:15 AM
From: Oliver Braun
Subject: Set retention buckets to remove deleted log sources

Hi J.

You believe right, the data are given a note as to when they should be deleted at the moment they arrive at QRadar. If you change the retention timeline in buckets, this only affects data received by QRadar from the moment of the change and after, not before.

It is not intended to delete data from QRadar manually.However, there is a solution, thanks to the GDPR, IBM must give the possibility to delete personal data in QRadar before the retention time has expired. We have already tested this successfully. However, it is quite complicated.

It is possible to delete any data with this procedure, even from log sources that have been removed.
If you would like more details, please contact me directly.

------------------------------
Kind regards
Oliver

Original Message:
Sent: Tue December 08, 2020 12:56 PM
From: JThur
Subject: Set retention buckets to remove deleted log sources

I'm looking for a way to set up the retention buckets to remove data from log sources that have been deleted. I believe the data will still be available until the retention timelines have been met.

Any help would be appreciated.

------------------------------
JThur
------------------------------

Voilá

https://www.ibm.com/support/knowledgecenter/no/SS42VS_SHR/com.ibm.dcblog.doc/c_blog_acp_tool.html

------------------------------
BrunoMarX
------------------------------

Original Message:
Sent: Mon December 14, 2020 04:41 AM
From: Joao Goncalves
Subject: Set retention buckets to remove deleted log sources

Hi Oliver:
I would also be interested in knowing how you do it. Can you please share that information here? This is why we have a community. It is to share info!

Thanks

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Wed December 09, 2020 03:15 AM
From: Oliver Braun
Subject: Set retention buckets to remove deleted log sources

Hi J.

You believe right, the data are given a note as to when they should be deleted at the moment they arrive at QRadar. If you change the retention timeline in buckets, this only affects data received by QRadar from the moment of the change and after, not before.

It is not intended to delete data from QRadar manually.However, there is a solution, thanks to the GDPR, IBM must give the possibility to delete personal data in QRadar before the retention time has expired. We have already tested this successfully. However, it is quite complicated.

It is possible to delete any data with this procedure, even from log sources that have been removed.
If you would like more details, please contact me directly.

------------------------------
Kind regards
Oliver

Original Message:
Sent: Tue December 08, 2020 12:56 PM
From: JThur
Subject: Set retention buckets to remove deleted log sources

I'm looking for a way to set up the retention buckets to remove data from log sources that have been deleted. I believe the data will still be available until the retention timelines have been met.

Any help would be appreciated.

------------------------------
JThur
------------------------------