Data retention

  • This article explains how Kaseya SIEM retain and manage security data from a governance and compliance perspective.

    • Data retention determines:

    • How long different types of data are stored

    • Which data remains searchable in the platform

    • How historical security activity can be reviewed during investigations, audits, or compliance reviews

    Data types and retention model

    Kaseya SIEM distinguishes between raw data and processed data.

    Raw data

    Raw data represents the original, unnormalized data as it is ingested into the platform. It is used for initial ingestion and normalization and retained for a short duration.

    Retention period: Raw data is retained for 3 days

    Raw data is not intended for long‑term investigation or historical review.

    Processed data

    Processed data represents normalized security data that has been evaluated and structured by the platform.

    Processed data includes:

    • Security events

    • Alerts

    • IOC rule results

    • Respond rule results

    • Other normalized security records

    Retention period: Processed data is retained for 400 days

    Searchability and historical access

    Processed data is stored for 400 days and is searchable in the user interface for the full 400‑day retention period.

    All retained processed data remains searchable for the duration of the retention period. There is no separate investigation experience for older processed data.

    Retention behavior does not vary based on whether the data originated from an event, alert, IOC rule, or Respond rule, as long as the data is processed.

    Governance considerations

    Data retention settings are part of the platform’s governance model and are designed to support:

    • Security investigations

    • Operational reviews

    • Audit preparation

    • Compliance‑related inquiries

    Retention behavior defines how long data is available, not how alerts are generated or how response actions are performed.

    Relationship to other administrative settings

    Data retention operates independently of:

    • User roles and permissions

    • Alert suppression

    • SOC authorization settings

    • Application behavior tuning

    Those settings affect visibility, access, and behavior, but they do not change retention durations.