This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 46%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Hi Team,
We have a test Microsoft Sentinel environment where we have a data retention period of 30 days. When I check the 'SecurityIncident', 'SecurityAlert' etc. tables, as expected, there is no data present before the 30 day-period. But on the Incidents page, I can see the incidents beyond 30 days listed there. So a bit confused on this. How can the incidents be still visible when the underlying tables are empty for a custom time range? Also will this incur data retention charges? Attaching screenshots related to this. Thank you.
Regards,
Anand R. Menon
The records are in the SecurityAlert and SecurityIncidents tables. A new record is created with the same ID for every update. The incident dashboard shows the most recent record for each incident.
Rather that using the custom range picker try a full 90 day lookback:
SecurityIncident
| where TimeGenerated > ago(90d)
@Anand R Menon
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
@Andrew Blumhardt I tried the below query you mentioned:
SecurityIncident
| where TimeGenerated > ago(90d)
It shows incidents within the past 30 days only which is according to the data retention period set. But on the Incidents page in Sentinel, I can see incidents generated for the past few months. I doubt if its kept temporarily in some alternate tables for a historic purpose. Thank you.
The incident view can review back to when the instance was first created. I was able to look back over a year in my environment. The tables are more of a log it seems.
Sentinel includes 90 days of retention. You can bump that 30 to 90 days.
Thanks a lot for the insights. Increased the retention period to 90 days on my workspace. Thank you. :)