The event data collected by IBM Security QRadar SIEM V7.2.8 is being deleted after one month. The legal department required the data be kept for two months.
What can the administrator do to accommodate this requirement?
A . Change the nightly backup Priority to “High”.
B . Change the nightly backup to a monthly backup.
C . Change the Default Event Retention Policy property field “Do not delete data in this bucket” to two months.
D . Change the Default Event Retention Policy property field “Keep data placed in this bucket for” to two months.
Answer: C
Explanation:
When storage space is required – Select this option if you want events or flows that match the Keep data
placed in this bucket for parameter to remain in storage until the disk monitoring system detects that storage is required. If used disk space reaches 85% for records and 83% for payloads, data will be deleted. Deletion continues until the used disk space reaches 82% for records and 81% for payloads.
When storage is required, only events or flows that match the Keep data placed in this bucket for parameter are deleted.
Reference https://www.ibm.com/developerworks/community/forums/atom/download/
Event_Flow_Retention_QRadar_72_AdminGuide.pdf?nodeId=593f2b31-a858-4210-b380-4674894a6ad9