How long does Red Canary store customer data?
Red Canary stores all threat-related data for the life of the account.
We ingest our customer's telemetry data into our AWS S3 Storage. After 14 days all of the EDR telemetry that is not related to a threat is moved to our AWS Glacier (archival) storage where it is retained for 1 year (365 days). This often exceeds the amount of time data is retained in native EDR platforms.
Data can be requested on demand by contacting your account team.
NOTE: Once the data is moved to Glacier, it takes time to recover the data and it can be expensive to recover.
If Red Canary hosts your EDR solution (like Carbon Black EDR), the EDR telemetry is only stored for 14 days by default unless a different retention time is requested.
Frequently Asked Questions
1) How is the data in cold storage sent/provided?
The data files are provided in JSON format, zipped and can be made available via a secure, private link.
2) What do we need to do to load/review the data? Do we have to stand up some kind of special environment for that?
The contents of the file(s) that are extracted should be able to be opened/reviewed with any text editor or JSON parser.
3) Could we leverage Azure Sentinel to import and review the JSON data? What other tools can they use for this?
You can use any sort of JSON data parser you choose. Using Canary Exporter would be a great alternative option for this, especially if things are time sensitive (quicker option). The downsides are bandwidth and storage.