Data retention, privacy, and sharing across Microsoft Defender for IoT

Microsoft Defender for IoT stores data in the Microsoft Azure portal, in OT network sensors, and in on-premises management consoles.

Each storage type has varying storage capacity options and retention times. This article describes the data retention policy for the amount of data and length of time the data is stored in each storage type before being deleted or overwritten.

What are we collecting?

Defender for IoT collects information from your configured devices and stores it in a service specific, customer-dedicated and segregated tenant. The stored data is for administration, tracking, and reporting purposes.

Information collected includes network connection data (IPs and ports), and device details (device identifiers, names, operating system versions, firmware versions). Defender for IoT stores this data securely in accordance with Microsoft privacy practices and Microsoft Trust Center policies.

This data enables Defender for IoT to:

  • Proactively identify indicators of attack (IOAs) in your organization.
  • Generate alerts if a possible attack is detected.
  • Provide your security team a view into devices and addresses related to threat signals from your network, enabling you to investigate and explore possible network security threats.

Microsoft doesn't use your data for advertising.

Data location

Defender for IoT uses the Microsoft Azure data centers in the European Union and the United States. Customer data collected by the service might be stored in one of two geo-locations:

  • The geolocation of the tenant as identified during provisioning.
  • The geolocation as defined by the data storage rules of an online service, that's used by Defender for IoT to process its data.

Data retention

Data from Defender for IoT is retained for as long as a customer is active or for 90 days after the end of your contract. During this period the data is visible across your other services on the portal.

Your data is kept and is available while your license is under a grace period or in suspended mode. 90 days after the end of this period, your data is erased from Microsoft's systems making it unrecoverable.

Device data retention periods

The following table lists how long device data is stored in each Defender for IoT storage type.

Storage type Details
Azure portal 90 days from the date of the Last activity value.

For more information, see Manage your device inventory from the Azure portal.
OT network sensor 90 days from the date of the Last activity value.

For more information, see Manage your OT device inventory from a sensor console.
On-premises management console 90 days from the date of the Last activity value.

For more information, see Manage your OT device inventory from an on-premises management console.

Alert data retention

The following table lists how long alert data is stored in each Defender for IoT storage type. Alert data is stored as listed, regardless of the alert's status, or whether it's been learned or muted.

Storage type Details
Azure portal 90 days from the date in the First detection value.

For more information, see View and manage alerts from the Azure portal.
OT network sensor 90 days from the date in the First detection value.

For more information, see View alerts on your sensor.
On-premises management console 90 days from the date in the First detection value.

For more information, see Work with alerts on the on-premises management console.

OT alert PCAP data retention

The following table lists how long PCAP data is stored in each Defender for IoT storage type.

Storage type Details
Azure portal PCAP files are available for download from the Azure portal for as long as the OT network sensor stores them.

Once downloaded, the files are cached on the Azure portal for 48 hours.

For more information, see Access alert PCAP data.
OT network sensor Dependent on the sensor's storage capacity allocated for PCAP files, which determines its hardware profile:

- C5600: 130 GB
- E1800: 130 GB
- E1000 : 78 GB
- E500: 78 GB
- L500: 7 GB
- L100: 2.5 GB

If a sensor exceeds its maximum storage capacity, the oldest PCAP file is deleted to accommodate the new one.

For more information, see Access alert PCAP data and Pre-configured physical appliances for OT monitoring.
On-premises management console PCAP files aren't stored on the on-premises management console and are only accessed from the on-premises management console via a direct link to the OT sensor.

The usage of available PCAP storage space depends on factors such as the number of alerts, the type of the alert, and the network bandwidth, all of which affect the size of the PCAP file.

Tip

To avoid being dependent on the sensor's storage capacity, use external storage to back up your PCAP data.

Security recommendation retention

Defender for IoT security recommendations are stored only on the Azure portal, for 90 days from when the recommendation is first detected.

For more information, see Enhance security posture with security recommendations.

OT event timeline retention

OT event timeline data is stored on OT network sensors only, and the storage capacity differs depending on the sensor's hardware profile.

The retention of event timeline data isn't limited by time. However, assuming a frequency of 500 events per day, all hardware profiles are able to retain the events for at least 90 days.

If a sensor exceeds its maximum storage size, the oldest event timeline data file is deleted to accommodate the new one.

The following table lists the maximum number of events that can be stored for each hardware profile:

Hardware profile Number of events
C5600 10M events
E1800 10M events
E1000 6M events
E500 6M events
L500 3M events
L100 500-K events

For more information, see Track sensor activity and Pre-configured physical appliances for OT monitoring.

OT log file retention

Service and processing log files are stored on the Azure portal for 30 days from their creation date.

Other OT monitoring log files are stored only on the OT network sensor and the on-premises management console.

For more information, see:

Backup file capacity

Both the OT network sensor and the on-premises management console have automated backups running daily, and older backup files are overwritten when the configured storage capacity reaches its limit.

For more information, see:

Backups on the OT network sensor

The retention of backup files depends on the sensor's architecture, as each hardware profile has a set amount of hard disk space allocated for backup history:

Hardware profile Allocated hard disk space
L100 Backups aren't supported
L500 20 GB
E1000 60 GB
E1800 100 GB
C5600 100 GB

If the device can't allocate enough hard disk space, then only the last backup is saved on the on-premises management console.

Backups on the on-premises management console

Allocated hard disk space for on-premises management console backup files is limited to 10 GB and to only 20 backups.

If you're using an on-premises management console, each connected OT sensor also has its own, extra backup directory on the on-premises management console:

  • A single sensor backup file is limited to a maximum of 40 GB. A file exceeding that size isn't sent to the on-premises management console.
  • Total hard disk space allocated to sensor backup from all sensors on the on-premises management console is 100 GB.

Data sharing for Microsoft Defender for IoT

Microsoft Defender for IoT shares data, including customer data, among the following Microsoft products, also licensed by the customer.

  • Microsoft Defender XDR
  • Microsoft Sentinel
  • Microsoft Threat Intelligence Center
  • Microsoft Defender for Cloud
  • Microsoft Defender for Endpoint
  • Microsoft Security Exposure Management

Next steps

For more information, see: