You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/cse/administration/cse-data-retention.md
+5-9Lines changed: 5 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,16 +8,12 @@ description: See retention periods for different types of Cloud SIEM data.
8
8
9
9
This topic describes how long different kinds of Cloud SIEM data are retained.
10
10
11
-
| Data | Partition location | Retention in the partition |Retention in Cloud SIEM|
11
+
| Data | Partition location | Retention in the partition |Viewable in Cloud SIEM|
12
12
| :-- | :-- | :-- | :-- |
13
-
| Raw logs | Raw logs reside in your [default partition](/docs/manage/partitions/run-search-against-partition/#search-the-default-partition) in Sumo Logic. | The retention period defined for your default partition. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Raw logs are not retained in Cloud SIEM. (Data from raw logs is normalized before appearing as records in Cloud SIEM.) |
14
-
| Records | Records (normalized logs) are stored in the partitions whose names begin with the string [`sec_records`](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo). There is one partition for each record type. <br/>There is no additional charge for storage of records.| 90 days ||
15
-
| Signals | Stored in the [`sec_signal` partition](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo/#partition-for-cloud-siem-signals).<br/>There is no additional charge for storage of signals. | 2 years | Signals that are attached to insights are retained in Cloud SIEM indefinitely. <br/><br/>Signals that are not attached to insights are retained in Cloud SIEM for 30 days if suppressed, and for 365 days if unsuppressed. |
16
-
| Insights | The [`sumologic_system_events` partition](/docs/cse/administration/cse-audit-logging/) contains insights and insight-related events that result from system actions. <br/><br/> The [`sumologic_audit_events` partition]((/docs/cse/administration/cse-audit-logging/)) contains insights and insight-related events that result from user actions. <br/><br/>There is a charge for storage of insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels. | 30 days<br/><br/>This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Indefinitely |
17
-
18
-
:::note
19
-
Playbook and action executions are retained in Cloud SIEM for 2 years. For those that need to ensure HIPAA compliance, we delete the data after 7 years.
20
-
:::
13
+
| Insights | The [`sumologic_system_events` partition](/docs/cse/administration/cse-audit-logging/) contains insights and insight-related events that result from system actions. <br/><br/> The [`sumologic_audit_events` partition](/docs/cse/administration/cse-audit-logging/) contains insights and insight-related events that result from user actions. <br/><br/>There is a charge for storage of insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels. | 30 days<br/><br/>This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Indefinitely <br/><br/>Playbook and action executions on insights are viewable in Cloud SIEM for 2 years. For customers who need to ensure HIPAA compliance, we remove that data after 7 years. |
14
+
| Signals | Stored in the [`sec_signal` partition](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo/#partition-for-cloud-siem-signals).<br/>There is no additional charge for storage of signals. | 2 years | Signals that are attached to insights are viewable in Cloud SIEM indefinitely. <br/><br/>Signals that are not attached to insights are viewable in Cloud SIEM for 30 days if suppressed, and for 1 year if unsuppressed. |
15
+
| Records | Records (normalized logs) are stored in the partitions whose names begin with the string [`sec_records`](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo). There is one partition for each record type. <br/>There is no additional charge for storage of records.| 90 days | Records attached to signals are viewable in Cloud SIEM as long as the signals are viewable (see above). Records not attached to signals are viewable for only 90 days. |
16
+
| Raw logs | Raw logs reside in your [default partition](/docs/manage/partitions/run-search-against-partition/#search-the-default-partition) in Sumo Logic. | The retention period defined for your default partition. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Raw logs are not viewable in Cloud SIEM. (Data from raw logs is normalized before appearing as records in Cloud SIEM.) |
0 commit comments