Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Are Events able to be retrieved from the Backend when event data retention cut-off date has been hit?

Carbon Black Cloud: Are Events able to be retrieved from the Backend when event data retention cut-off date has been hit?

Environment

  • Carbon Black Cloud Console: All Versions
  • Endpoint Standard (Formerly CBD): All supported Versions
  • EEDR (Formerly CBTH): All Supported Versions

Question

Are Events able to be retrieved from the Backend when event data retention cut-off date has been hit?

Answer

No - Once an Event (Alerted or non-Alerted) passes the data retention limit for the org, it is no longer available and gets purged from the backend entirely

Additional Notes

  • Endpoint Standard: Alert Events (those with an AlertID) are stored for 180 days if they are associated with an alert, 30 days otherwise
  • EEDR: Events are stored for 30 days
  • In ES + EEDR orgs, the Investigate and Process Analysis page are working off the 30 day store that EEDR uses, so data retention is lowered

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎07-08-2021
Views:
385
Contributors