Rate of network and endpoint incidents
The rate of network and endpoint incidents detected varies widely across Forcepoint customers. The sizing guidelines above are based on an average incident rate of 1 per user every 10 days (an incident is a policy violation). For best practice, periodically review the actual incident rate in the database to gauge how closely your environment matches this average, and then adjust your database storage requirements based on the actual data in your environment.
Do this by examining the Incident Trends report found in the Data Security module of Forcepoint Security Manager under .
The Forcepoint DLP database stores data in partitions per each calendar quarter. You can have 1 active partition for the current quarter.
If you are using Microsoft SQL Server Standard or Enterprise for your reporting database, you can have up to 8 online partitions (approximately 2 years), but if you are using SQL Server Express, you can have only 4 (approximately 1 year). (Online partitions are partitions that can be used to show reports and log data.)
For both databases, you can have up to 12 archived partitions representing 3 years of records, and 4 restored partitions (1 year).
| Partition type | Microsoft SQL Server Standard or Enterprise | Microsoft SQL Server Express |
|---|---|---|
| Active | 1 partition (current quarter) | 1 partition (current quarter) |
| Online | up to 8 partitions (2 years) | up to 4 partitions (1 year) |
| Restored | up to 4 partitions (1 year) | up to 4 partitions (1 year) |
| Archived | up to 12 partitions (3 years) | up to 12 partitions (3 years) |
| Total available managed partitions | 25 | 21 |
Refer to “Archiving incident partitions” in the Forcepoint DLP Administrator Help for more information on archiving. For instructions on setting the maximum disk space allowed for the incident archive, refer to “Configuring the incident archive.”