The integrated Backup feature of EDR is implemented as a full snapshot of the database taken at a given time. Events collected by the EDR during the backup process are not included in the snapshot.
Depending on the database size, encryption setting, network transfer rate and resources available on the storage destination, the full backup process can take days to finish. That means the event data collected during the last successfully completed backup will be lost, should the EDR need to be redeployed.
The overall performance of EDR is affected by the backup process, as it generates a heavy load on the system. Furthermore, during the backup process, the SEPM gatherer process is halted meaning that no new machines can be enrolled in EDR.
To address the need of having a historical view of event data readily available, we recommend using SIEM integration with EDR.