Views:

Learn about data retention for Agentic SIEM & XDR data sources, including the types of data retained, retention types, and how you can change or extend your retention period.

Connected Agentic SIEM & XDR data sources supply data used for analysis, threat hunting, and event correlation. Data is retained using analytic retention by default, which allows for more frequent data queries. Archival retention, used to retain data for compliance purposes or infrequent queries, is only available if you collect the data using a log repository.
Retained Agentic SIEM & XDR data for both Trend native and third-party products includes:
  • Activity logs
  • Detection logs
  • Events in Observed Attack Techniques
Retained Agentic SIEM & XDR data does not include:
  • Audit logs
  • Application data
Trend Vision One retains Agentic SIEM & XDR-related data for a set predefined or custom retention period. The Agentic SIEM & XDR-related data retention period refers to the following:
  • The length of time the retained data can be viewed in XDR Data Explorer
  • The length of time events can be viewed in Observed Attack Techniques
To extend data retention, you can allocate credits to Agentic SIEM and select retention periods for individual data sources in Data Source and Log ManagementData sources and retentionAgentic SIEM & XDR. Data for most data sources can be retained for up to two years. You can only change the retention period for a data source once per day.
The following Agentic SIEM & XDR-related data sources, solutions, and capabilities have fixed data retention periods that cannot be extended:
Data source, solution, or capability
Data scope
Retention period
  • Detection logs
  • Activity logs
180 days
  • Detection logs
  • Activity logs
180 days
  • Detection logs
  • Activity logs
180 days
  • Detection logs
  • Activity logs
30 days
  • Point product detection logs
30 days
  • Point product detection logs
30 days
  • Point product detection logs
  • Activity logs
180 days
  • Point product detection logs
30 days
Forensics
  • Workspaces: 180 days
  • Evidence reports: 30 days
  • Timelines: 180 days
  • Scan and query results: 180 days
Varies by data scope
Workbench
  • Alerts
180 days
Tip
Tip
To extend the data retention period for Workbench alerts, contact your support provider.