Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How long are Alerts and Events kept?

Carbon Black Cloud: How long are Alerts and Events kept?

Environment

  • Carbon Black Cloud Console (aka CBD): August '16 Release (0.18.x) and Higher
  • Enterprise EDR Console (aka CBTH): All Versions

Question

How long are Events and Alerts able to be seen and reviewed in the Console?

Answer

  • Carbon Black Cloud Console (CBD): Alert Events (those with an AlertID) are stored for 180 days if they are associated with an alert, 30 days otherwise.
  • Enterprise EDR Console (CBTH): Events are stored for 30 days.
  • In CBD + CBTH organizations, the Investigate and Process Analysis page are working off the 30 day store that CBTH uses, so data retention is lowered. Alert Triage is currently using the longer 180 day retention.

Additional Notes

  • Although legacy Cb Defense (Confer) customers are not affected by this change, their data retention limits are subject to change upon contract renewal.
  • If you are looking for normal Events (not tied to Alerts) on the Investigate page, you will see this cut-off fairly evidently.

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
3540
Contributors