Environment
- Carbon Black Cloud Console (aka CBD): August '16 Release (0.18.x) and Higher
- Enterprise EDR Console (aka CBTH): All Versions
Question
How long are Events and Alerts able to be seen and reviewed in the Console?
Answer
- Carbon Black Cloud Console (CBD): Alert Events (those with an AlertID) are stored for 180 days if they are associated with an alert, 30 days otherwise.
- Enterprise EDR Console (CBTH): Events are stored for 30 days.
- In CBD + CBTH organizations, the Investigate and Process Analysis page are working off the 30 day store that CBTH uses, so data retention is lowered. Alert Triage is currently using the longer 180 day retention.
Additional Notes
- Although legacy Cb Defense (Confer) customers are not affected by this change, their data retention limits are subject to change upon contract renewal.
- If you are looking for normal Events (not tied to Alerts) on the Investigate page, you will see this cut-off fairly evidently.
Related Content
