Edit

Data retention across Microsoft Defender for IoT

  • Article

Microsoft Defender for IoT sensors learn a baseline of your network traffic during the initial learning period after deployment. This learned baseline is stored indefinitely on your sensors.

Defender for IoT also stores other data in the Azure portal, on OT network sensors, and on-premises management consoles.

Each storage location affords a certain storage capacity and retention times. This article describes how much and how long each type of data is stored in each location before it's either deleted or overridden.

Device data retention periods

The following table lists how long device data is stored in each Defender for IoT location.

Storage type Details
Azure portal 90 days from the date of the Last activity value.

For more information, see Manage your device inventory from the Azure portal.
OT network sensor 90 days from the date of the Last activity value.

For more information, see Manage your OT device inventory from a sensor console.
On-premises management console 90 days from the date of the Last activity value.

For more information, see Manage your OT device inventory from an on-premises management console.

Alert data retention

The following table lists how long alert data is stored in each Defender for IoT location. Alert data is stored as listed, regardless of the alert's status, or whether it's been learned or muted.

Storage type Details
Azure portal 90 days from the date in the First detection value.

For more information, see View and manage alerts from the Azure portal.
OT network sensor 90 days from the date in the First detection value.

For more information, see View alerts on your sensor.
On-premises management console 90 days from the date in the First detection value.

For more information, see Work with alerts on the on-premises management console.

OT alert PCAP data retention

The following table lists how long PCAP data is stored in each Defender for IoT location.

Storage type Details
Azure portal PCAP files are available for download from the Azure portal for as long as the OT network sensor stores them.

Once downloaded, the files are cached on the Azure portal for 48 hours.

For more information, see Access alert PCAP data.
OT network sensor Dependent on the sensor's storage capacity allocated for PCAP files, which is determined by its hardware profile:

- C5600: 130 GB
- E1800: 130 GB
- E1000 : 78 GB
- E500: 78 GB
- L500: 7 GB
- L100: 2.5 GB
- L60 *: 2.5 GB

If a sensor exceeds its maximum storage capacity, the oldest PCAP file is deleted to accommodate the new one.

For more information, see Access alert PCAP data and Pre-configured physical appliances for OT monitoring.
On-premises management console PCAP files aren't stored on the on-premises management console and are only accessed from the on-premises management console via a direct link to the OT sensor.

The usage of available PCAP storage space depends on factors such as the number of alerts, the type of the alert, and the network bandwidth, all of which affect the size of the PCAP file.

Tip

To avoid being dependent on the sensor's storage capacity, use external storage to back up your PCAP data.

Security recommendation retention

Defender for IoT security recommendations are stored only on the Azure portal, for 90 days from when the recommendation is first detected.

For more information, see Enhance security posture with security recommendations.

OT event timeline retention

OT event timeline data is stored on OT network sensors only, and the storage capacity differs depending on the sensor's hardware profile.

The retention of event timeline data isn't limited by time. However, assuming a frequency of 500 events per day, all hardware profiles will be able to retain the events for at least 90 days.

If a sensor exceeds its maximum storage size, the oldest event timeline data file is deleted to accommodate the new one.

The following table lists the maximum number of events that can be stored for each hardware profile:

Hardware profile Number of events
C5600 10M events
E1800 10M events
E1000 6M events
E500 6M events
L500 3M events
L100 500-K events
L60 * 500-K events

For more information, see Track sensor activity and Pre-configured physical appliances for OT monitoring.

OT log file retention

Service and processing log files are stored on the Azure portal for 30 days from their creation date.

Other OT monitoring log files are stored only on the OT network sensor and the on-premises management console.

For more information, see:

On-premises backup file capacity

Both the OT network sensor and the on-premises management console have automated backups running daily.

On both the OT sensor and the on-premises management console, older backup files are overridden when the configured storage capacity has reached its maximum.

For more information, see:

Backups on the OT network sensor

The retention of backup files depends on the sensor's architecture, as each hardware profile has a set amount of hard disk space allocated for backup history:

Hardware profile Allocated hard disk space
L60 * Backups are not supported
L100 Backups are not supported
L500 20 GB
E1000 60 GB
E1800 100 GB
C5600 100 GB

If the device doesn't have allocated hard disk space, then only the last backup will be saved on the on-premises management console.

Backups on the on-premises management console

Allocated hard disk space for on-premises management console backup files is limited to 10 GB and to only 20 backups.

If you're using an on-premises management console, each connected OT sensor also has its own, extra backup directory on the on-premises management console:

  • A single sensor backup file is limited to a maximum of 40 GB. A file exceeding that size won't be sent to the on-premises management console.
  • Total hard disk space allocated to sensor backup from all sensors on the on-premises management console is 100 GB.

Next steps

For more information, see: