Managing the data retention policy for asset and risk data

Use the REST API to manage the data retention policy for asset and risk data in IBM Security QRadar Suite Software.

About this task

The data retention policy can be defined by either time or disk usage:
Time-based retention policy

With a time-based retention policy, the data is purged after a specified period. For example, you can set the retention policy to purge all historical data older than one year.

When you configure a time-based policy, the policy_name parameter is Time and the policy_value parameter indicates the number of days that the historical data is kept.

Disk-based retention policy

With a disk-based retention policy, you specify how much disk space is used to store asset and risk data. The storage includes both active and historical data.

For example, you can specify that the data cannot exceed more than one GB of disk storage. If you have 700 MB of active data, the remaining 300 MB is used for historical data. Historical data that exceeds the 300 MB threshold is purged based on the date that it was created.

When you configure a disk-based policy, the policy_name parameter is DiskUsage and the policy_value parameter indicates the size of the disk storage that is allotted for both active and historical data.

For example, if you want to configure the retention policy to use 2 GB of disk space, calculate the policy value by using this calculation:
2G = 2 * 1024 * 1024 * 1024 = 2174483648

The retention policy applies to historical data only. Active data is always retained regardless of age or size.

On initial installation, the default retention policy is disk-based with 1.2 GB of storage.

Procedure

  1. Log in to your Red Hat® OpenShift® Container Platform cluster by typing either of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <username> -p <password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  2. Find your QRadar Suite Software API URI value by typing the following command: 
    kubectl get route -o jsonpath='{.items[?(@.metadata.name=="isc-route-default")].spec.host}'
  3. To find the settings for the current retention policy, type this command: 
    curl -X GET 'https://<API_URI>/api/car/v3/DataRetentionPolicy' \
--header 'Authorization: Basic <CAR_auth>' \

    where <API_URI> is QRadar Suite Software API URI and <CAR_auth> is the Base-64 encoding of <API_key>:<API_secret>.

    The command output looks similar to this example:

    {{ {"policy_name": "DiskUsage", "policy_value": 3000000} }}

  4. To change the retention policy, type this command: 
    curl -X POST 'https://<API_URI>>/api/car/v3/DataRetentionPolicy' \
--header 'Authorization: Basic <CAR_auth>' \
--header 'Content-Type: application/json' \
--data-raw '{
     "policy_name": "<policy_name>", 
     "policy_value": <policy_value>
  }'
    You must specify the following variables:
    • <CAR_auth> is the Base-64 encoding of <API_key>:<API_secret>.
    • <policy_name> is either Time or DiskUsage.
    • <policy_value> is a numerical value that represents either the number of days or bytes, depending on the type of policy that you use.