Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard (Formerly CBD): All supported Versions
- EEDR (Formerly CBTH): All Supported Versions
Question
Are Events able to be retrieved from the Backend when event data retention cut-off date has been hit?
Answer
No - Once an Event (Alerted or non-Alerted) passes the data retention limit for the org, it is no longer available and gets purged from the backend entirely
Additional Notes
- Endpoint Standard: Alert Events (those with an AlertID) are stored for 180 days if they are associated with an alert, 30 days otherwise
- EEDR: Events are stored for 30 days
- In ES + EEDR orgs, the Investigate and Process Analysis page are working off the 30 day store that EEDR uses, so data retention is lowered
Related Content