Data security and retention in Microsoft Defender XDR
Article
Applies to:
Microsoft Defender XDR
Microsoft Defender XDR integrates with several different Microsoft security services, which collect data using various technologies. Integrated services allow Microsoft Defender XDR to access their data for the purpose of identifying cross-product correlations.
Collected data
Customer data collected from integrated services includes processed data, such as incidents and alerts, and configuration data, such as connector settings, rules and so on.
Data storage location
Microsoft Defender XDR operations in Microsoft Azure data centers in the following geographical regions:
European Union: North Europe and West Europe
United Kingdom: UK South and UK West
United States: East US 2 and Central US
Australia: Australia East and Australia Southeast
Switzerland: Switzerland North and Switzerland West
India: Central India and South India
Once created, the Microsoft Defender XDR tenant isn't movable to a different region. Your geographical region is shown in the Microsoft Defender portal, under Settings > Microsoft Defender XDR > Account.
Customer data stored by integrated services might also be stored in the following locations:
The original location for the relevant service.
A region defined by data storage rules of an integrated service, if Microsoft Defender XDR shares data with that service.
Data retention
Microsoft Defender XDR data is retained for 180 days, and is visible across the Microsoft Defender portal during that time, except for in Advanced hunting queries.
Data continues to be retained and visible, even when a license is under a grace period or in suspended mode. At the end of any grace period or suspension, and no later than 180 days from a contract termination or expiration, data is deleted from Microsoft's systems and is unrecoverable.
Most Defender services also have a default data retention period of 180 days. More information on data retention period per product is found in relevant service docs.
Data sharing
Microsoft Defender XDR shares data among the following Microsoft products, also licensed by the customer:
Understand what Microsoft Defender XDR is and how it can help to improve your security posture by empowering your Security Operations Center (SOC) or security teams with the tools they need to identify, control, and remediate security threats.