You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/cse/administration/cse-data-retention.md
+9-22Lines changed: 9 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,30 +6,17 @@ description: See retention periods for different types of Cloud SIEM data.
6
6
---
7
7
8
8
9
-
This topic lists the Cloud SIEM data that is retained on the Sumo Logic platform and in Cloud SIEM, and the retention period for each type of data.
9
+
This topic describes how long different kinds of Cloud SIEM data are retained.
10
10
11
-
## Sumo Logic platform
11
+
| Data | Partition location | Retention in the partition | Viewable in Cloud SIEM|
12
+
| :-- | :-- | :-- | :-- |
13
+
| Insights | The [`sumologic_system_events` partition](/docs/cse/administration/cse-audit-logging/) contains insights and insight-related events that result from system actions. <br/><br/> The [`sumologic_audit_events` partition](/docs/cse/administration/cse-audit-logging/) contains insights and insight-related events that result from user actions. <br/><br/>There is a charge for storage of insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels. | 30 days<br/><br/>This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Indefinitely <br/><br/>Playbook and action executions on insights are viewable in Cloud SIEM for 2 years. For customers who need to ensure HIPAA compliance, we remove that data after 7 years. |
14
+
| Signals | Stored in the [`sec_signal` partition](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo/#partition-for-cloud-siem-signals).<br/>There is no additional charge for storage of signals. | 2 years | Signals that are attached to insights are viewable in Cloud SIEM indefinitely. <br/><br/>Signals that are not attached to insights are viewable in Cloud SIEM for 30 days if suppressed, and for 1 year if unsuppressed. |
15
+
| Records | Records (normalized logs) are stored in the partitions whose names begin with the string [`sec_records`](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo). There is one partition for each record type. <br/>There is no additional charge for storage of records.| 90 days | Records attached to signals are viewable in Cloud SIEM as long as the signals are viewable (see above). Records not attached to signals are viewable for only 90 days. |
16
+
| Raw logs | Raw logs reside in your [default partition](/docs/manage/partitions/run-search-against-partition/#search-the-default-partition) in Sumo Logic. | The retention period defined for your default partition. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Raw logs are not viewable in Cloud SIEM. (Data from raw logs is normalized before appearing as records in Cloud SIEM.) |
12
17
13
-
This table lists where, and for how long, different types of Cloud SIEM data are retained on the Sumo Logic platform.
18
+
## Custom retention periods
14
19
15
-
| Data | Location | Retention |
16
-
| :-- | :-- | :-- |
17
-
| Raw logs | Raw logs reside in your Default Partition in Sumo Logic | The retention period defined for your Default Partition. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). |
18
-
| Records | Records (normalized logs) are stored in the partitions whose names begin with the string `sec_records`. There is one partition for each record type. <br/>There is no additional charge for storage of records.| 90 days |
19
-
| Signals | Stored in the `sec_signal` partition.<br/>There is no additional charge for storage of signals. | 2 years |
20
-
| Insights | The `sumologic_system_events` partition contains insights and insight-related events that result from system actions. <br/> The `sumologic_audit_events` partition contains insights and insight-related events that result from user actions. <br/>There is a charge for storage of insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels. | By default, these partitions have a retention period of 30 days. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). |
21
-
22
-
23
-
### Cloud SIEM
24
-
25
-
* Insights and signals that are attached to insights are retained in Cloud SIEM indefinitely.
26
-
* Signals that are not attached to insights are retained in Cloud SIEM:
27
-
* For 30 days if suppressed.
28
-
* For 365 days if unsuppressed.
29
-
* Playbook and action executions are retained in Cloud SIEM for 2 years. For those that need to ensure HIPAA compliance, we delete the data after 7 years.
30
-
31
-
### Custom retention periods
32
-
33
-
You can request retention periods different from those declared in the tables above, as long as the retention period requested is greater than 1 day and less than 5000 days.
20
+
You can request retention periods different from those declared in the table above, as long as the retention period requested is greater than 1 day and less than 5000 days.
34
21
35
22
In order to do that, open a [Support ticket](/docs/get-started/help#support) with your request.
0 commit comments