As I understand the splunk app for Enterprise Security creates a number of TSIDX namespaces that are used to store summary statistical data used by the dashboards and correlation searches throughout the app. And I guess the limit for the length of time that namespaces are retained is specified in the $SPLUNKHOME/etc/apps/
The only available namespace that i see for notable events is the "sa_notables" I am trying to understand if this is the namespace that the incident review dashboard uses to store all its incidents and also would like to know if all the tickets that are managed by the incident review dashboards are also stored in the same name space and how to setup a retention to store all the tickets that my security operations have worked on
The output from the correlation searches (the notable events) are actually stored in a summary index called "notable". This index is managed by whatever retention policy you have defined for indexes.
The incident review dashboard stores the case statuses and notes in a lookup file (incident_review.csv) which won't get truncated (we keep the status changes forever).
BTW: You are correct, tsidx_retention.conf is used to limit the size of the TSIDX namespaces.
Depends what kind of access you are talking about.
The Incident Review Audit page in ES provides a view for looking at the contents.
On the file system, it is stored in $SPLUNKHOME/etc/apps/SA-ThreatIntelligence/lookups/incidentreview.csv.
You can also do a search to get back the contents: