Login
        Contents x
        Data Retention Policy
        • 14 Oct 2025
        • 1 Minute to read
        • PDF
        Contents

        Data Retention Policy

        • Updated on 14 Oct 2025
        • 1 Minute to read
        • PDF
        Article summary

        Red Canary ingests all customer Endpoint Detection and Response (EDR) telemetry data into our Amazon Web Services (AWS) S3 storage. After 14 days (or 7 days for Linux EDR), any telemetry data not related to a threat is moved to our AWS archival storage, where it is currently retained for a total of 90 days.

        Note

        Please contact your account team if you need to request data retrieval. Once the data is moved into the archive, it takes time to recover and recovery can be costly.

        FAQ

        How is the data in cold storage sent/provided?

        The data files are provided in JSON format (zipped) and can be made available via a secure private link.

        How are endpoints, alerts, events, and investigations handled?

        Data Type

        Retention Policy

        Endpoints

        Endpoints are retained indefinitely, except when they meet each of the following criteria:

        • The "Last activity at" time is more than one year ago.

        • The "Last check-in" time is more than one year ago.

        • The endpoint has zero associated alerts (all time).

        • The endpoint has zero associated events or threats (all time).

        Endpoints with associated alerts, events, or threats will not be affected, ensuring that data potentially needed for investigations remains available. When endpoints are discovered, they will be treated as new and subject to the same display policy.

        Alerts

        Native external alert data is stored for 90 days.

        Standardized external alert data is stored for 365 days.

        Events

        Events are retained for one year, except when they:

        • Have no detections

        • Have no contributing external alerts

        • Were not triggered by external alerts

        • Have no event identities

        Investigations

        Investigations associated with a confirmed threat are retained indefinitely. Other Investigations are retained for one year.

        What do we need to do to load/review the data? Do we have to stand up some kind of special environment for that?

        No. Once you've extracted the zipped files, you should be able to be open/review the contents using any text editor or JSON parser.

        Could we leverage Azure Sentinel to import and review the JSON data? What other tools can we use for this?

        You can use any sort of JSON data parser you choose. Using Canary Exporter would be a great alternative for this, especially if things are time sensitive (quicker option). The downsides are bandwidth and storage.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout