How long are detection events kept in Falcon?
How long are detection events kept in Falcon?
Detection events in Falcon are kept for the duration of your subscribed data retention period. This means the retention period can vary depending on the specific terms of the subscription agreement with Falcon. Different customers could have different data retention periods, tailored to their needs and the service level they have subscribed to.
90 days only
Shoot it Could be A.Per the CCFA Checklist Notes " Data is only available in the Falcon UI for investigations, etc. through the company’s data retention time frame; detection information is kept for 90 days regardless; UI audits are available for 1 year
I think the right answer should be B
A is correct
Option - A Note: CrowdStrike keeps detection data in the cloud for 90 days, after which some of the data gets purged from the database. Null icons indicate that some of the data for a process has started to be nullified. It could be a missing tactic, label, metadata or any part of the information pertaining to that process.
The wording of the question makes this confusing. Detections themselves are kept for 90 days but event data is only kept for the event retention set.
https://www.crowdstrike.com/products/endpoint-security/falcon-insight-edr/faq/
Going to go with B, its either B or C . Bad question really.
I Think this is C, It says Detection Events. Events are stored for 7 Days
Activity feed (alerts) are kept 90 days. Events (EAM Data) depends on your contract