We ingest our customer's telemetry data into our Amazon Web Services (AWS) S3 Storage. After 14 days, all of the Endpoint Detection and Response (EDR) telemetry that is not related to a threat is moved to our archival storage, where it is currently retained for a total of one year (365 days). Telemetry data ingested after September 1, 2023 that is not related to a threat will be relocated to our archival storage and retained for 90 days.
Data can be requested by contacting your account team.
Note: Once the data is moved into the archive, it takes time to recover and recovery can be costly.
Q: How is the data in cold storage sent/provided?
A: The data files are provided in JSON format, zipped and can be made available via a secure, private link.
Q: What do we need to do to load/review the data? Do we have to stand up some kind of special environment for that?
A: The contents of the file(s) that are extracted should be able to be opened/reviewed with any text editor or JSON parser.
Q: Could we leverage Azure Sentinel to import and review the JSON data? What other tools can they use for this?
A: You can use any sort of JSON data parser you choose. Using Canary Exporter would be a great alternative for this, especially if things are time sensitive (quicker option). The downsides are bandwidth and storage.