Palo Alto Networks Knowledgebase: Aperture and WildFire data retention period
Aperture and WildFire data retention period
Created On 02/07/19 23:35 PM - Last Updated 02/07/19 23:36 PM
When Aperture analyzes a file, it will first query WildFire to check if the file has been seen before. If not, it will check its WildFire policy to determine whether or not to forward the file to WildFire for malware analysis. When this happens, the WildFire cloud retention policies are still applicable. Note that it is a policy decision in Aperture to forward files to WildFire, not an “always on” function.
For data analysis, access, and exposure controls, Aperture examines files in memory only. What this means is that no customer files are copied to Aperture's storage. When the analysis queue is complete, the compute nodes that analyzed the files are destroyed and the memory is wiped in accordance with AWS data destruction terms and policies. Aperture will retain metadata — information about the files (file size, creator, modification data, etc.), but not the files themselves. Aperture doesn’t currently offer any SLA on how long this this metadata is retained, but currently it is not capped and is held for up to 90 days following termination of service in case service is resumed.