Schedule automated incident export to an external cloud storage solution.
You can enable scheduled export of incidents. Incidents are exported based on your retention policy. By default, the retention policy is six months from the date of incident creation, and all incidents older than six months are exported once a day. If you have purchased additional retention, only incidents older than your total retention are exported. For example, if you have purchased an additional three months of retention and have nine months total, incidents older than nine months are exported once a day.
Danger
Before exporting incidents, you must have an external cloud storage solution configured. For more information, see Configure access to external storage
Go to → → → .
Choose an existing external storage option from the dropdown.
Enter the relative path where the data is stored. For example, if the data is stored in the
export_incidentstop-level folder in an Amazon S3 bucket, the relative path isexport_incidents.Under Export frequency, toggle the button to Enable scheduled exports.
Select whether to Include incident attachments.
Save.
After you enable scheduled exports, the Export Incidents page displays the date and time of the next scheduled export. After an export is complete, the page displays the date and time of the last successful export. If an export is currently running, the status is displayed.
Note
The first time incidents are exported, the process may take multiple days or weeks, depending on the number of incidents and the amount of data. The previous export must be completed before the system begins another export.
To stop an existing export process, you must make a
POSTrequest to the API endpoint:/xsoar/exdelete-incidents/job/abort.If an export fails, the Instance Admin receives an email notification. To enable or disable notification settings, click on your username and select → → → .
Once an incident has been exported, it is not exported again, even if it remains in the system and is modified after the export.