Carbon Black Cloud: Are Events able to be retrieved from the Backend when event data retention cut-off date has been hit?
search cancel

Carbon Black Cloud: Are Events able to be retrieved from the Backend when event data retention cut-off date has been hit?

book

Article ID: 289898

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Are Events able to be retrieved from the Backend when event data retention cut-off date has been hit?

Environment

  • Carbon Black Cloud Console: All Versions
  • Endpoint Standard (Formerly CBD): All supported Versions
  • EEDR (Formerly CBTH): All Supported Versions

Resolution

No - Once an Event (Alerted or non-Alerted) passes the data retention limit for the org, it is no longer available and gets purged from the backend entirely

Additional Information

  • Endpoint Standard: Alert Events (those with an AlertID) are stored for 180 days if they are associated with an alert, 30 days otherwise
  • EEDR: Events are stored for 30 days
  • In ES + EEDR orgs, the Investigate and Process Analysis page are working off the 30 day store that EEDR uses, so data retention is lowered
Powered by Wolken Software