How long are detection events kept in Falcon?
How long are detection events kept in Falcon?
Detection events in Falcon are kept for the duration of your subscribed data retention period. This means the retention period can vary depending on the specific terms of the subscription agreement with Falcon. Different customers could have different data retention periods, tailored to their needs and the service level they have subscribed to.
The wording of the question makes this confusing. Detections themselves are kept for 90 days but event data is only kept for the event retention set.
Option - A Note: CrowdStrike keeps detection data in the cloud for 90 days, after which some of the data gets purged from the database. Null icons indicate that some of the data for a process has started to be nullified. It could be a missing tactic, label, metadata or any part of the information pertaining to that process.
A is correct
I think the right answer should be B
Shoot it Could be A.Per the CCFA Checklist Notes " Data is only available in the Falcon UI for investigations, etc. through the company’s data retention time frame; detection information is kept for 90 days regardless; UI audits are available for 1 year
90 days only
Activity feed (alerts) are kept 90 days. Events (EAM Data) depends on your contract
I Think this is C, It says Detection Events. Events are stored for 7 Days
Going to go with B, its either B or C . Bad question really.
https://www.crowdstrike.com/products/endpoint-security/falcon-insight-edr/faq/