Login
      Contents x
      Data Retention Policy
      • 25 Feb 2025
      • 1 Minute to read
      • PDF
      Contents

      Data Retention Policy

      • Updated on 25 Feb 2025
      • 1 Minute to read
      • PDF
      Article summary

      Red Canary ingests all customer Endpoint Detection and Response (EDR) telemetry data into our Amazon Web Services (AWS) S3 Storage. After 14 days (or 7 days for Linux EDR), any telemetry data not related to a threat is moved to our AWS archival storage where it is currently retained for a total of 90 days.

      Please contact your account team if you need to request data retrieval.

      Note: Once the data is moved into the archive, it takes time to recover and recovery can be costly.

      FAQ

      How is the data in cold storage sent/provided?

      The data files are provided in JSON format (zipped) and can be made available via a secure, private link.

      What do we need to do to load/review the data? Do we have to stand up some kind of special environment for that?

      No. Once you've extracted the zipped files, you should be able to be open/review the contents with any text editor or JSON parser.

      Could we leverage Azure Sentinel to import and review the JSON data? What other tools can we use for this?

      You can use any sort of JSON data parser you choose. Using Canary Exporter would be a great alternative for this, especially if things are time sensitive (quicker option). The downsides are bandwidth and storage.

      How are Endpoints, Alerts, and Events handled?

      Red Canary handles Endpoints, Alerts, and Events, as follows:

      Data type

      Default  Policy

      Endpoints

      Endpoints associated with an Alert, Event, or Threat are displayed indefinitely. All other endpoints are displayed until their last check-in and last activity time exceeds one year. For more information, see Endpoints.

      Alerts

      Alerts associated with a tipoff or an event are retained indefinitely. External alerts not associated with an event are retained for 90 days. For more information, see Alerts Lifecycle.

      Events

      Events associated with a confirmed threat are retained indefinitely. Other events are retained for one year. For more information, see Event Lifecycle.

      Was this article helpful?
      What's Next
      PRODUCTS & SOLUTIONS
      OPEN SOURCE
      PLATFORM
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout