Skip to content

DOCS-1071 - Update Cloud SIEM data retention #5693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 15, 2025
Merged

DOCS-1071 - Update Cloud SIEM data retention #5693

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ed09b20
Rough draft
jpipkin1 Aug 14, 2025
9a6400e
Rearrange table
jpipkin1 Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 9 additions & 22 deletions docs/cse/administration/cse-data-retention.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,30 +6,17 @@ description: See retention periods for different types of Cloud SIEM data.
---


This topic lists the Cloud SIEM data that is retained on the Sumo Logic platform and in Cloud SIEM, and the retention period for each type of data.
This topic describes how long different kinds of Cloud SIEM data are retained.

## Sumo Logic platform
| Data | Partition location | Retention in the partition | Viewable in Cloud SIEM|
| :-- | :-- | :-- | :-- |
| Insights | The [`sumologic_system_events` partition](/docs/cse/administration/cse-audit-logging/) contains insights and insight-related events that result from system actions. <br/><br/> The [`sumologic_audit_events` partition](/docs/cse/administration/cse-audit-logging/) contains insights and insight-related events that result from user actions. <br/><br/>There is a charge for storage of insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels. | 30 days<br/><br/>This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Indefinitely <br/><br/>Playbook and action executions on insights are viewable in Cloud SIEM for 2 years. For customers who need to ensure HIPAA compliance, we remove that data after 7 years. |
| Signals | Stored in the [`sec_signal` partition](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo/#partition-for-cloud-siem-signals).<br/>There is no additional charge for storage of signals. | 2 years | Signals that are attached to insights are viewable in Cloud SIEM indefinitely. <br/><br/>Signals that are not attached to insights are viewable in Cloud SIEM for 30 days if suppressed, and for 1 year if unsuppressed. |
| Records | Records (normalized logs) are stored in the partitions whose names begin with the string [`sec_records`](/docs/cse/records-signals-entities-insights/search-cse-records-in-sumo). There is one partition for each record type. <br/>There is no additional charge for storage of records.| 90 days | Records attached to signals are viewable in Cloud SIEM as long as the signals are viewable (see above). Records not attached to signals are viewable for only 90 days. |
| Raw logs | Raw logs reside in your [default partition](/docs/manage/partitions/run-search-against-partition/#search-the-default-partition) in Sumo Logic. | The retention period defined for your default partition. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). | Raw logs are not viewable in Cloud SIEM. (Data from raw logs is normalized before appearing as records in Cloud SIEM.) |

This table lists where, and for how long, different types of Cloud SIEM data are retained on the Sumo Logic platform.
## Custom retention periods

| Data | Location | Retention |
| :-- | :-- | :-- |
| Raw logs | Raw logs reside in your Default Partition in Sumo Logic | The retention period defined for your Default Partition. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). |
| Records | Records (normalized logs) are stored in the partitions whose names begin with the string `sec_records`. There is one partition for each record type. <br/>There is no additional charge for storage of records.| 90 days |
| Signals | Stored in the `sec_signal` partition.<br/>There is no additional charge for storage of signals. | 2 years |
| Insights | The `sumologic_system_events` partition contains insights and insight-related events that result from system actions. <br/> The `sumologic_audit_events` partition contains insights and insight-related events that result from user actions. <br/>There is a charge for storage of insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels. | By default, these partitions have a retention period of 30 days. This period is [customer-configurable](/docs/manage/partitions/manage-indexes-variable-retention). |


### Cloud SIEM

* Insights and signals that are attached to insights are retained in Cloud SIEM indefinitely.
* Signals that are not attached to insights are retained in Cloud SIEM:
* For 30 days if suppressed.
* For 365 days if unsuppressed.
* Playbook and action executions are retained in Cloud SIEM for 2 years. For those that need to ensure HIPAA compliance, we delete the data after 7 years.

### Custom retention periods

You can request retention periods different from those declared in the tables above, as long as the retention period requested is greater than 1 day and less than 5000 days.
You can request retention periods different from those declared in the table above, as long as the retention period requested is greater than 1 day and less than 5000 days.

In order to do that, open a [Support ticket](/docs/get-started/help#support) with your request.