Introduction
As part of the Field Effect MDR service, ninety (90) days worth of endpoint and network telemetry is stored locally on your primary appliance. Security relevant cloud monitoring telemetry from supported cloud integrations will be queried, stored, and enriched before being analyzed by Field Effect MDR. 30-days' worth of general logs are retained, and storage of security-related events, derived from log analysis, are stored for up to 90 days.
Clients may also choose to back up this data in the Field Effect datacenter for longer periods at an additional cost:
- Extended Log Retention: All Field Effect alerts and their associated logs can be backed up in the Field Effect controlled cloud storage within the country of your choice (Canada, USA or UK) for a minimum of 12 months. Additional years can be purchased in yearly increments if additional log retention is needed.
- Full Log Retention: The Field Effect Primary Appliance also supports the ingestion of syslog data forwarded from devices that can access that appliance. In addition to retaining all Field Effect MDR alerts and associated log files, this offering will also retain any syslogs that are pushed to the primary appliance. Additional years can be purchased in yearly increments if additional log retention is needed. To set up the primary appliance to be able to ingest syslog data, please contact support@fieldeffect.com.
Logs that are Collected
The following sections describe the various log types that Field Effect MDR is able to store.
Alerts and Logs
Field Effect MDR is able to collect the following:
- Alerts:
- Generated by Field Effect endpoint agents and our network monitoring, cloud monitoring, and content analysis.
- Logs:
- Used by Field Effect MDR to generate AROs, when applicable, as part of a standard deployment. Windows event logs would be an example of this log type.
Non-Field Effect logs
"Non-Field Effect Logs" represent the syslogs that are generated by other systems that are not part of the Field Effect service, nor are they used by Field Effect MDR for alert generation. If you have log retention requirement that need to comply with specific regulations, these non-Field Effect logs would be applicable to these requirements.
Examples include system logs forwarded to the appliance from firewalls, switches, VPN appliances, other network equipment, and Security Service Edge (SSE) solutions.
Integration Logs
When a generated ARO is related to Microsoft 365 or Google Workspace logs, the associated alert data is sent to the primary sensor and retained alongside the like other alerts retained with this service. Otherwise, Field Effect MDR store 30 days of raw logs, and 90 days of alerts. Field Effect MDR does not currently support integration log retention beyond these timeframes.
- We store raw logs from cloud integrations for 30 days
- We store alerts generated from cloud integrations for 90 days, along with relevant logs to the alert generated by the cloud application
How Log Retention Impacts CIS Controls
The following table shows Center for Internet Security (CIS) compliance controls and how are log retention meets these specific controls.
| CIS # | CIS Title | CIS Description | Asset At Corporate Office | Remote Asset |
|---|---|---|---|---|
| 8.5 | Collect Detailed Audit Logs | Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. | Yes, detailed audit logs are captured and saved on our network appliance. These logs are retained for 90 days. | Yes, detailed audit logs are captured and saved on our network appliance. These logs are retained for 90 days. |
| 8.6 | Collect DNS Query Audit Logs | Collect DNS query audit logs on enterprise assets, where appropriate and supported. | Yes, DNS query audit logs are captured at both the network and host layer and saved on our network appliance. These logs are retained for 90 days. | Yes, DNS query audit logs are captured at the host layer and saved on our network appliance. These logs are retained for 90 days. |
| 8.7 | Collect URL Request Audit Logs | Collect URL request audit logs on enterprise assets, where appropriate and supported. | Yes, URL Request audit logs are captured and saved on our network appliance. These logs are retained for 90 days. | No URL logging is performed. |
| 8.8 | Collect Command-Line Audit Logs | Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals. | Audit logs from command line parameters to new processes are captured and saved on our network appliance. These logs are retained for 90 days. Interactive commands through remote administrative terminals and full PowerShell and BASH logs are not currently collected from endpoints. | Audit logs from command line parameters to new processes are captured and saved on our network appliance. These logs are retained for 90 days. Interactive commands through remote administrative terminals and full PowerShell and BASH logs are not currently collected from endpoints. |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article