Record Data Retention

Being that ExtraHop never purges inactive records, does anyone have a strategy for managing the device count? Our network has many guest wi-fi users that we want to monitor while they are on our network. However, once they have left the network I would prefer the record to time out after a certain time period as we are hitting a device limit threshold.


How are you experiencing the device limit threshold? Are these inactive devices taking up your advanced analysis slots?

Each of the EDA’s have a limit of 100k devices which we are exceeding because devices never get purged. We do not have 200k devices on our network. Therefore the result is that it is forcing devices into discovery mode. If a device appears once on our guest wifi great, we want to know about it. If it doesn’t appear again in 3 months, roll it out of the system.

On the Analysis Priorities page, you should be able to prioritize device groups that dynamically only include devices which are actually seeing activity for higher analysis modes. There’s also a setting to stop the priorities from filling automatically in case you want to manage them more closely, though ideally that’s not necessary.

Edit: And ignoring the above, devices that have been inactive for 4 days shouldn’t be taking up advanced or standard analysis slots at all unless they’ve been manually added to the watchlist. If you find that behavior isn’t happening occurring, you might want to file a support ticket as it could be a bug.