Red Canary’s retention policies vary according to the type of data and whether or not that data is associated with a threat.
Retention for EDR Telemetry
We ingest all customer Endpoint Detection and Response (EDR) telemetry data into our Amazon Web Services (AWS) S3 storage. After 14 days (or 7 days for Linux EDR), any telemetry data not related to a threat is moved to our AWS archival storage where it is retained for an additional 90 days. Note that once data is moved into the archive, it can take time to recover. If you need to request data retrieval from archival storage, please contact your Red Canary account team.
Retention for Endpoints, Alerts, Events, Investigations, and Threats
Data Type | Retention Policy |
|---|---|
Endpoints | To ensure that data potentially needed for investigations remains available, endpoints are retained indefinitely, except when they meet each of the following criteria:
|
Alerts | Native external alert data is stored for 90 days. Standardized external alert data is stored for 365 days. |
Events | Events are retained for 365 days, except when they:
|
Investigations | Investigations not associated with a confirmed threat are retained for 365 days. |
Threats | Confirmed threats and any associated Investigations are retained indefinitely. |
FAQ
How is the data from archival storage sent/provided?
The data files are provided in JSON format (zipped) and made available via a secure private link.
What do we need to do to load/review the data? Do we have to stand up some kind of special environment for that?
No. Once you've extracted the zipped files, you should be able to be open/review the contents using any text editor or JSON parser.
Could we leverage Azure Sentinel to import and review the JSON data? What other tools can we use for this?
Yes, you can use any JSON data parser you choose. Canary Exporter would be a good choice, especially if the task is time sensitive.