From ed09b2099f47e2183f6675e68c8f2aaa823c480c Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Thu, 14 Aug 2025 14:36:11 -0500 Subject: [PATCH 1/2] Rough draft --- docs/cse/administration/cse-data-retention.md | 33 +++++++------------ 1 file changed, 12 insertions(+), 21 deletions(-) diff --git a/docs/cse/administration/cse-data-retention.md b/docs/cse/administration/cse-data-retention.md index fe052ad225..5570816311 100644 --- a/docs/cse/administration/cse-data-retention.md +++ b/docs/cse/administration/cse-data-retention.md @@ -6,30 +6,21 @@ description: See retention periods for different types of Cloud SIEM data. --- -This topic lists the Cloud SIEM data that is retained on the Sumo Logic platform and in Cloud SIEM, and the retention period for each type of data. +This topic describes how long different kinds of Cloud SIEM data are retained. -## Sumo Logic platform +| Data | Partition location | Retention in the partition | Retention in Cloud SIEM| +| :-- | :-- | :-- | :-- | +| Raw logs | Raw logs reside in your [default partition](/docs/manage/partitions/run-search-against-partition/#search-the-default-partition) in Sumo Logic. | The retention period defined for your default partition. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Raw logs are not retained in Cloud SIEM. (Data from raw logs is normalized before appearing as records in Cloud SIEM.) | +| Records | Records (normalized logs) are stored in the partitions whose names begin with the string [`sec_records`](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo). There is one partition for each record type.
There is no additional charge for storage of records.| 90 days | | +| Signals | Stored in the [`sec_signal` partition](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo/#partition-for-cloud-siem-signals).
There is no additional charge for storage of signals. | 2 years | Signals that are attached to insights are retained in Cloud SIEM indefinitely.

Signals that are not attached to insights are retained in Cloud SIEM for 30 days if suppressed, and for 365 days if unsuppressed. | +| Insights | The [`sumologic_system_events` partition](/docs/cse/administration/cse-audit-logging/) contains insights and insight-related events that result from system actions.

The [`sumologic_audit_events` partition]((/docs/cse/administration/cse-audit-logging/)) contains insights and insight-related events that result from user actions.

There is a charge for storage of insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels. | 30 days

This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Indefinitely | -This table lists where, and for how long, different types of Cloud SIEM data are retained on the Sumo Logic platform. +:::note +Playbook and action executions are retained in Cloud SIEM for 2 years. For those that need to ensure HIPAA compliance, we delete the data after 7 years. +::: -| Data | Location | Retention | -| :-- | :-- | :-- | -| Raw logs | Raw logs reside in your Default Partition in Sumo Logic | The retention period defined for your Default Partition. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | -| Records | Records (normalized logs) are stored in the partitions whose names begin with the string `sec_records`. There is one partition for each record type.
There is no additional charge for storage of records.| 90 days | -| Signals | Stored in the `sec_signal` partition.
There is no additional charge for storage of signals. | 2 years | -| Insights | The `sumologic_system_events` partition contains insights and insight-related events that result from system actions.
The `sumologic_audit_events` partition contains insights and insight-related events that result from user actions.
There is a charge for storage of insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels. | By default, these partitions have a retention period of 30 days. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | +## Custom retention periods - -### Cloud SIEM - -* Insights and signals that are attached to insights are retained in Cloud SIEM indefinitely. -* Signals that are not attached to insights are retained in Cloud SIEM: - * For 30 days if suppressed. - * For 365 days if unsuppressed. -* Playbook and action executions are retained in Cloud SIEM for 2 years. For those that need to ensure HIPAA compliance, we delete the data after 7 years. - -### Custom retention periods - -You can request retention periods different from those declared in the tables above, as long as the retention period requested is greater than 1 day and less than 5000 days. +You can request retention periods different from those declared in the table above, as long as the retention period requested is greater than 1 day and less than 5000 days. In order to do that, open a [Support ticket](/docs/get-started/help#support) with your request. \ No newline at end of file From 9a6400e8592241f75befb84cf449b944fc32c633 Mon Sep 17 00:00:00 2001 From: John Pipkin Date: Thu, 14 Aug 2025 16:03:43 -0500 Subject: [PATCH 2/2] Rearrange table --- docs/cse/administration/cse-data-retention.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/docs/cse/administration/cse-data-retention.md b/docs/cse/administration/cse-data-retention.md index 5570816311..a360807258 100644 --- a/docs/cse/administration/cse-data-retention.md +++ b/docs/cse/administration/cse-data-retention.md @@ -8,16 +8,12 @@ description: See retention periods for different types of Cloud SIEM data. This topic describes how long different kinds of Cloud SIEM data are retained. -| Data | Partition location | Retention in the partition | Retention in Cloud SIEM| +| Data | Partition location | Retention in the partition | Viewable in Cloud SIEM| | :-- | :-- | :-- | :-- | -| Raw logs | Raw logs reside in your [default partition](/docs/manage/partitions/run-search-against-partition/#search-the-default-partition) in Sumo Logic. | The retention period defined for your default partition. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Raw logs are not retained in Cloud SIEM. (Data from raw logs is normalized before appearing as records in Cloud SIEM.) | -| Records | Records (normalized logs) are stored in the partitions whose names begin with the string [`sec_records`](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo). There is one partition for each record type.
There is no additional charge for storage of records.| 90 days | | -| Signals | Stored in the [`sec_signal` partition](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo/#partition-for-cloud-siem-signals).
There is no additional charge for storage of signals. | 2 years | Signals that are attached to insights are retained in Cloud SIEM indefinitely.

Signals that are not attached to insights are retained in Cloud SIEM for 30 days if suppressed, and for 365 days if unsuppressed. | -| Insights | The [`sumologic_system_events` partition](/docs/cse/administration/cse-audit-logging/) contains insights and insight-related events that result from system actions.

The [`sumologic_audit_events` partition]((/docs/cse/administration/cse-audit-logging/)) contains insights and insight-related events that result from user actions.

There is a charge for storage of insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels. | 30 days

This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Indefinitely | - -:::note -Playbook and action executions are retained in Cloud SIEM for 2 years. For those that need to ensure HIPAA compliance, we delete the data after 7 years. -::: +| Insights | The [`sumologic_system_events` partition](/docs/cse/administration/cse-audit-logging/) contains insights and insight-related events that result from system actions.

The [`sumologic_audit_events` partition](/docs/cse/administration/cse-audit-logging/) contains insights and insight-related events that result from user actions.

There is a charge for storage of insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels. | 30 days

This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Indefinitely

Playbook and action executions on insights are viewable in Cloud SIEM for 2 years. For customers who need to ensure HIPAA compliance, we remove that data after 7 years. | +| Signals | Stored in the [`sec_signal` partition](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo/#partition-for-cloud-siem-signals).
There is no additional charge for storage of signals. | 2 years | Signals that are attached to insights are viewable in Cloud SIEM indefinitely.

Signals that are not attached to insights are viewable in Cloud SIEM for 30 days if suppressed, and for 1 year if unsuppressed. | +| Records | Records (normalized logs) are stored in the partitions whose names begin with the string [`sec_records`](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo). There is one partition for each record type.
There is no additional charge for storage of records.| 90 days | Records attached to signals are viewable in Cloud SIEM as long as the signals are viewable (see above). Records not attached to signals are viewable for only 90 days. | +| Raw logs | Raw logs reside in your [default partition](/docs/manage/partitions/run-search-against-partition/#search-the-default-partition) in Sumo Logic. | The retention period defined for your default partition. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Raw logs are not viewable in Cloud SIEM. (Data from raw logs is normalized before appearing as records in Cloud SIEM.) | ## Custom retention periods