Skip to content



This feature is available only with the Platinum plan of THeHive 5.x.

TheHive has a feature dedicated to manage data retention policy in the database, which is not enabled by default.


Two strategies are available:

Replace values with <redacted>#

For cases, the following fields are redacted:

  • summary and message of the case
  • message of comments
  • message in task logs
  • message of observables, for datatypes selected and filled in the gdpr.dataTypesToDelete configuration property
  • content of pages
  • description of procedures in TTPs

For alerts, the following fields are redacted:

  • message of the alert
  • message of observables (cf. gdpr.dataTypesToDelete configuration property)
  • description of procedures (ttp)

For audits:

  • the field details is redacted

Delete data#

If the strategy delete is selected:

  • The case and its components - tasks, task logs, procedures, comments, pages, custom events in timelines, values of custom field and observables - are deleted
  • The alert and its components - procedures, comments, values of custom field and observables - are deleted.
  • The audit is deleted


The parameter retentionPeriod defines the mininum age of the data that will be deleted or redacted. The GDPR process will be applied on data older than this setting. The age is based on the last update date (or the creation date if it has never been updated). The format is a number and a time unit. The supported units are:

  • day: d, day
  • hour: h, hr, hour
  • minute: m, min, minute
  • second: s, sec, second
  • millisecond: ms, milli, millisecond


To enable it, the configuration file /etc/thehive/application.conf should be updated. Add the following configuration to the file:

gdpr {
    enabled = true

    ## Format
    ## Every Sunday at 02:30

    schedule = "0 30 2 ? * SUN"

    ## Possible GDPR strategies:
    ##   delete: remove the documents
    ##   redact: replace sensitive values by "<redacted>" (cf. dataTypesToDelete)

    strategy = "delete"

    ## if the strategy is "redacted", the observable with dataType in 
    ## "dataTypesToDelete" will be removed
    ## for other observables, message will be "<redacted>", not the data
    ## Uncomment following line to select datatypes

    # dataTypesToDelete = [] ## ["ip", "domain"]

    ## only documents older than the "retentionPeriod" will be processed

    retentionPeriod = 730 days # 2 years

    ## Advanced parameters (should not be modified)

    jobTimeout = 24 days ## maximum time the job is executed
    batchSizeCase = 5     ## how many cases is processed per transaction
    batchSizeAlert = 10   ## how many cases is processed per transaction
    batchSizeAudit = 100  ## how many cases is processed per transaction

Then restart the application.