SentinelOne Data Retention and Storage Management

SCENARIO

Organizations using SentinelOne Singularity Complete receive 14-365+ days of Deep Visibility EDR data retention by default. This historical telemetry enables threat hunting, forensic investigations, and compliance reporting. However, longer retention periods increase storage costs and require strategic data lifecycle management to balance investigative capabilities with budget constraints.

Use this guide when you need to:

• Configure Deep Visibility data retention periods (14 days default, up to 365+ days)
• Optimize storage costs while maintaining required retention for compliance (HIPAA, PCI-DSS, SOC 2)
• Archive historical threat data for long-term forensic analysis
• Manage data lifecycle policies (hot vs. cold storage tiers)
• Calculate storage requirements for large deployments (10,000+ endpoints)
• Export Deep Visibility data for external SIEM or data lake integration
• Understand SentinelOne Data Lake architecture and performance optimization

Business Impact:

• Compliance requirements: Meet regulatory retention mandates (HIPAA: 6 years, PCI-DSS: 1 year, SOC 2: 90 days minimum)
• Cost optimization: Balance retention duration with storage costs ($X per endpoint per year)
• Threat hunting: Longer retention enables historical threat hunting (identify APTs with months-long dwell time)
• Forensic analysis: Investigate incidents that occurred weeks/months ago
• Legal holds: Preserve data for litigation or regulatory investigations

SentinelOne Singularity Data Lake provides scalable, high-performance EDR data retention with configurable retention periods, query optimization, and export capabilities.

REQUIREMENTS & ASSUMPTIONS

Prerequisites:

• SentinelOne Singularity Complete license: 14-day retention included, 365+ day retention available as upgrade
• Console access: Admin role with Data Retention Management permissions
• Storage planning: Estimated endpoint count and retention duration

License Verification:

Console > Settings > License > Data Retention: Shows current retention period (e.g., "365 days")

Default Retention Periods by License:

• Singularity Core: 14 days
• Singularity Control: 14 days
• Singularity Complete: 14 days (default), upgradeable to 365+ days

Estimated Storage Requirements:

Average data per endpoint per day: 50-150 MB (varies by activity level)
1,000 endpoints × 100 MB/day × 365 days = ~36.5 TB per year
10,000 endpoints × 100 MB/day × 365 days = ~365 TB per year

PROCESS

Step 1: Verify current data retention configuration

1. Navigate to Console → Settings → Data Retention

2. Review current settings:

   • Deep Visibility Retention: X days (e.g., 14, 90, 365)
   • Threat Data Retention: X days (typically same as Deep Visibility)
   • Agent Logs Retention: X days
   • Audit Logs Retention: X days (typically 90-365 days for compliance)

3. Check storage usage:

   • Total Data Stored: X TB
   • Average Daily Ingestion: X GB/day
   • Projected Storage (30/90/365 days): Calculated automatically

Result: You understand current retention configuration and storage consumption.

Step 2: Determine required retention period

Compliance Requirements:

Operational Requirements:

Cost Considerations:

• 14 days: Included with Complete license
• 90 days: Moderate cost increase
• 365 days: Significant cost increase (contact SentinelOne for pricing)

Recommendation: Start with 90 days for most organizations, upgrade to 365 days if budget allows or compliance requires.

Step 3: Configure data retention period

1. Navigate to Console → Settings → Data Retention

2. Click Edit Retention Policy

3. Configure retention periods:

   Deep Visibility Data:

   • Retention Period: 365 days (or desired value)
   • Apply to: All sites (or specific sites)
   • Effective Date: Immediately (or scheduled date)

   Threat Data:

   • Retention Period: 365 days (match Deep Visibility)
   • Include Quarantined Files: Yes (for forensic analysis)

   Agent Logs:

   • Retention Period: 90 days (typically shorter than Deep Visibility)

   Audit Logs:

   • Retention Period: 365 days (for compliance tracking)

4. Review storage impact:

   • Console displays estimated storage increase
   • Example: "Changing retention from 14 to 365 days will increase storage by ~25x"

5. Confirm changes:

   • Click Save Changes
   • Retention policy updates within 24 hours
   • Historical data is NOT deleted when reducing retention (existing data ages out naturally)

Result: Data retention period is configured according to compliance and operational requirements.

Step 4: Optimize query performance for long retention

Longer retention periods can slow Deep Visibility queries if not optimized.

Query Optimization Best Practices:

1. Always specify time ranges:

   ❌ Bad: EventType = "Process Creation"  # Queries ALL data
   ✅ Good: EventType = "Process Creation" AND CreatedAt >= "2025-11-01T00:00:00Z"
   

2. Use indexed fields:

   • Fast: EventType, SrcProcName, FilePath, SrcProcCmdLine, DstIP
   • Slow: Free-text fields, regex patterns

3. Limit result sets:

   CreatedAt >= "2025-11-20T00:00:00Z" LIMIT 10000  # Cap results at 10K
   

4. Use aggregations for large datasets:

   EventType = "Network Connection" | GROUP BY DstIP | COUNT
   

5. Schedule long-running queries during off-hours:

   • Queries spanning 365 days may take minutes
   • Use scheduled reports for routine hunts

Result: Queries execute efficiently even with long retention periods.

Step 5: Export data for archival or external analysis

Method 1: Export via Console (Manual)

1. Navigate to Visibility → Deep Visibility
2. Run query for data to export
3. Click Export → CSV (up to 100K events per export)
4. Download and archive to external storage

Method 2: Export via API (Automated)

<#
.SYNOPSIS
    Export Deep Visibility data via API for archival
#>
 
param(
    [string]$ApiToken,
    [string]$ConsoleUrl,
    [string]$StartDate = "2025-01-01T00:00:00Z",
    [string]$EndDate = "2025-12-31T23:59:59Z"
)
 
$headers = @{
    "Authorization" = "ApiToken $ApiToken"
    "Content-Type" = "application/json"
}
 
$query = @{
    query = "CreatedAt >= '$StartDate' AND CreatedAt <= '$EndDate'"
    limit = 100000
} | ConvertTo-Json
 
$results = Invoke-RestMethod -Uri "$ConsoleUrl/web/api/v2.1/dv/events" -Headers $headers -Method Post -Body $query
 
$results.data | Export-Csv "DeepVisibility-Export-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
 
Write-Host "Exported $($results.data.Count) events"

Method 3: SIEM Forwarding (Real-Time)

• Configure syslog forwarding to Splunk, QRadar, or Azure Sentinel
• Console → Settings → Integrations → SIEM
• Forward Deep Visibility events in real-time (no manual export needed)

Result: Historical data is archived for long-term retention beyond SentinelOne's retention period.

Step 6: Manage storage costs

Cost Reduction Strategies:

1. Tiered retention by site:

   • Critical sites (production servers): 365 days
   • Standard sites (workstations): 90 days
   • Low-risk sites (guest networks): 14 days

2. Selective data collection:

   • Disable verbose logging for non-critical events
   • Filter out benign high-volume events (DNS queries to corporate DNS)

3. Archive to cold storage:

   • Export data older than 90 days to S3/Azure Blob (lower cost)
   • Delete from SentinelOne after archival

4. Right-size retention:

   • Review incident response times: If average MTTD is 14 days, 90-day retention may be sufficient

Cost Calculation Example:

Scenario: 5,000 endpoints
- 14-day retention: $X/year (included)
- 90-day retention: $X + $Y/year (~20% increase)
- 365-day retention: $X + $Z/year (~100-150% increase)

Recommendation: Use 90 days for most endpoints, 365 days for critical infrastructure

Step 7: Implement legal hold (preserve data indefinitely)

For litigation or regulatory investigations:

1. Identify endpoints requiring legal hold

2. Export all Deep Visibility data for affected endpoints

3. Archive to immutable storage (WORM storage, AWS Glacier, Azure Archive)

4. Document chain of custody:

   • Who exported data
   • When exported
   • Hash of exported files (integrity verification)

5. Disable deletion policies for legal hold data

6. Notify legal team when data is preserved

Result: Data is preserved indefinitely for legal or regulatory purposes.

VERIFICATION

Verify retention configuration:

1. Check retention policy:

   Console → Settings → Data Retention → Current Policy: 365 days
   

2. Verify historical data is queryable:

   • Run Deep Visibility query for old date range:

     CreatedAt >= "2025-01-01T00:00:00Z" AND CreatedAt <= "2025-01-31T23:59:59Z"
     

   • Verify results return (if data exists for that period)

3. Check storage usage trends:

   Console → Settings → Data Retention → Storage Metrics
   - Daily Ingestion: X GB/day
   - Total Stored: X TB
   - Projected (365 days): X TB
   

TROUBLESHOOTING

Issue: Query timeouts on long retention

Solutions:

1. Add time range filters: CreatedAt >= "2025-11-01T00:00:00Z"
2. Use indexed fields (EventType, SrcProcName)
3. Limit results: LIMIT 10000
4. Break query into smaller time windows (weekly instead of yearly)

Issue: Storage costs exceeding budget

Solutions:

1. Reduce retention to 90 days (from 365)
2. Implement tiered retention by site criticality
3. Export and archive old data to S3/Azure Blob
4. Reduce verbose logging (filter benign events)

REFERENCES

• SentinelOne XDR Data Retention Blog
• Singularity Complete Features

Document Version: 1.0 Last Updated: 2025-11-26 Author: CosmicBytez IT Operations

Related Reading

• SentinelOne Control vs Complete Feature Comparison
• SentinelOne Deep Visibility Threat Hunting
• SentinelOne Forensics Rollback and Remediation