Data retention information for Microsoft Defender for Office 365
By default, data across different features is retained for a maximum of 30 days. However, for some of the features, you can specify the retention period based on policy. See the following table for the different retention periods for each feature.
Microsoft Defender for Office 365 comes in two different subscriptions: Plan 1 and Plan 2. If you have Threat Explorer at https://security.microsoft.com/threatexplorer, you have Plan 2. Otherwise, you have Real-time Detections at https://security.microsoft.com/realtimereports as part of Plan 1.
Your Defender for Office 365 subscription affects the tools that are available to you, so make sure you know which subscription you have as you learn.
Defender for Office 365 Plan 1
|Alert metadata details (Defender for Office 365 alerts)||90 days.|
|Entity metadata details (Email)||30 days.|
|Activity alert details (audit logs)||7 days.|
|Email entity page||30 days.|
|Quarantine||30 days (configurable; 30 days is the maximum).|
|Reports||90 days for aggregated data.
30 days for detailed information.
|Real-Time detections||30 days.|
Defender for Office 365 Plan 2
Defender for Office 365 Plan 1 capabilities, plus:
|Action Center||180 days.
Office Action Center 30 days.
|Advanced Hunting||30 days.|
|AIR (Automated investigation and response)||60 days for investigations metadata.
30 days for email metadata.
|Attack simulation training data||18 months.|
|Threat Analytics||30 days.|
|Threat Explorer||30 days.|
|Threat Trackers||30 days.|