Data Retention Policy

We ingest our customer’s telemetry data into our Amazon Web Services (AWS) S3 Storage. After 14 days, all of the Endpoint Detection and Response (EDR) telemetry that is not related to a threat is moved to our AWS archival storage, where it is currently retained for a total of 90 days.

Data can be requested by contacting your account team.

Note: Once the data is moved into the archive, it takes time to recover and recovery can be costly. 

How is the data in cold storage sent/provided? 

The data files are provided in JSON format, zipped and can be made available via a secure, private link.

What do we need to do to load/review the data? Do we have to stand up some kind of special environment for that?

The contents of the file(s) that are extracted should be able to be opened/reviewed with any text editor or JSON parser.

Could we leverage Azure Sentinel to import and review the JSON data? What other tools can they use for this?

You can use any sort of JSON data parser you choose. Using Canary Exporter would be a great alternative for this, especially if things are time sensitive (quicker option). The downsides are bandwidth and storage.

How are Endpoints, Alerts, and Events handled?

For details on how Red Canary handles Endpoints, Alerts, and Events, see the table below: