Data Storage and Retention FAQs

When you are storing your data in the cloud, it’s natural–and important–to have questions. Read on to learn about our thorough and secure approach to data collection, storage, and retention.

Data Privacy at Rapid7

For information about our data privacy policy, visit Rapid7 Trust.

What kind of data does InsightIDR collect?

InsightIDR integrates with your existing stack, ranging from network sources such as Active Directory, LDAP, and DHCP, to endpoint, cloud service data, and other existing security solutions.

The data is normalized, enriched, and correlated to users and assets to provide your team with answers during incident detection and investigation. InsightIDR does not collect any of your customer data if you use the standard event source configurations.

Do I need to purchase additional hardware to store logs with InsightIDR?

No. The logs from your existing network and security stack are collected through an on-premise collector and sent to Rapid7’s secured Amazon S3 buckets within Amazon Web Services (AWS).

AWS hosts a secure, scalable, cloud computing platform with high availability. It offers flexibility for Rapid7 to build a wide range of additional layers of security to handle data that’s in transit or at rest, and while it is being used in InsightIDR for searches or to generate detections.

How is my data used within InsightIDR?

InsightIDR uses the data collected across your network to reliably detect threats early in the Attack Chain.

The data collected by InsightIDR helps in the detection of malicious behavior, and when possible, attributes that behavior to the assets and user accounts involved. This allows your team to detect stealthy attacker behavior, such as the use of stolen passwords and lateral movement.

In addition to the pre-built analytics in InsightIDR, you can create basic detection rules (formerly known as custom alerts) using LEQL–the same query language that is used to search the log data.

With the SIEM capabilities in InsightIDR, any syslog can be ingested for use in Log Search and data visualizations, such as dashboards, to measure and report on compliance.

How long is the log data retained for?

With both the standard InsightIDR subscription and with Rapid7 Managed Detection and Response, it is retained for 13 months in Log Search. Logs that are ingested during that time period are retained and available for audit and compliance, as well as for search, visualization, and investigations. As a customer, you have the option to purchase additional storage retention for Log Search data.

Separately to log data, data that is generated in InsightIDR—such as detections, alerts, or investigations—is retained for 13 months.

To allow daily archiving of your log data, you must set up an Amazon S3 bucket to store your logs. After InsightIDR is connected to an Amazon S3 bucket, all logs that are generated from that point onward will be archived there.

How is the data at rest protected?

Data is encrypted before it is pushed from the collector to the cloud. InsightIDR employs public key cryptography and challenge-response handshakes to ensure the security of your data and the integrity of the credentials entrusted to the platform.

Data is protected by strict access controls. Your log data is tokenized using a unique UUID that walls your data off from other customers' data.

How does Rapid7 ensure stability and redundancy with my data in InsightIDR?

InsightIDR is hosted in Amazon Web Services (AWS) for all data storage and processing for analytics.

Rapid increases in CPU, memory, storage, and networking capacity are performed on demand to meet the scaling and performance needs of enterprise customers. We leverage AWS to guarantee backup, redundancy, and high availability.

AWS has SOC 1, 2 and 3 reports to attest to their backup methodology. Read the AWS Cloud Security documentation at: If needed, we can work with AWS to provide you with these reports.

On the Rapid7 side, we have carefully designed our infrastructure to build in redundancy, backup, and recovery capabilities. Our data centers have disaster recovery plans and their own risk assessments.

If I use Rapid7 Managed Detection and Response (MDR), can I still search and report on my data?

Yes. With an MDR subscription, your team is provisioned credentials to log in and use InsightIDR.

While our experts are monitoring and hunting across your network, you may use InsightIDR for log search, data visualization, and reporting. This combination means you’re getting managed detection, SIEM capabilities, and a bundled response plan in a single subscription.

For more information, see our Managed Detection and Response documentation.

What happens in the event of contract cancellation? Can my organization get our logs back?

If you choose to leave a Rapid7 service, you will have access to the platform until your end date. All data, including backups, will be deleted after 90 days. Should you request deletion of your data prior to that, we’ll process that request within 14 days.

If you choose to retain Managed Services reports, you should download them from the Services Portal prior to the last day of service. Your final report will be delivered in a secure email.

If you want to retain your log data, you can set up the Data Archiving feature. This will carry out a daily backup of the log data ingested on that day. These backups are stored in an Amazon S3 bucket that you manage. If you did not set up daily archiving, then you can use historical archiving to archive all log data at once.

Archiving limitations apply

The process of archiving large amounts of data can take several days to complete. For this reason, historical archiving is limited to only twice a year.