Data security and retention in Microsoft Defender XDR
Microsoft Defender XDR operates in Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, and Switzerland. Customer data collected by the service is stored at rest in (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Microsoft Defender XDR to process such data.
Customer data in pseudonymized form might also be stored in central storage and processing systems in the United States.
The table below shows the general information on the data retention of specific service sources in Defender XDR:
| Product | Default data retention period | More information |
|---|---|---|
| Microsoft Defender for Endpoint | 180 days | Defender for Endpoint data storage and privacy |
| Microsoft Defender for Office 365 | Varies according to feature and license | Defender for Office 365 data retention information |
| Microsoft Defender for Identity | 180 days | Defender for Identity data storage and privacy |
| Microsoft Defender for Cloud Apps | 180 days | Defender for Cloud Apps data storage and privacy |
| Microsoft Entra | Varies according to feature and license | Microsoft Entra data storage and privacy |
| Microsoft Sentinel | 90 days for Basic logs, varies depending on pricing | Microsoft Sentinel pricing |
Note
Advanced hunting lets you query up to 30 days of raw data.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.