Cloud SIEM Data Retention

This topic describes how long different kinds of Cloud SIEM data are retained.

Data	Partition location	Retention in the partition	Viewable in Cloud SIEM
Insights	The sumologic_system_events partition contains insights and insight-related events that result from system actions. The sumologic_audit_events partition contains insights and insight-related events that result from user actions. There is a charge for storage of insight-related data in the audit indexes. Note however the volume of data is typically very low compared to log ingestion levels.	30 days This period is customer-configurable.	Indefinitely Playbook and action executions on insights are viewable in Cloud SIEM for 2 years. For customers who need to ensure HIPAA compliance, we remove that data after 7 years.
Signals	Stored in the sec_signal partition. There is no additional charge for storage of signals.	2 years	Signals that are attached to insights are viewable in Cloud SIEM indefinitely. Signals that are not attached to insights are viewable in Cloud SIEM for 30 days if suppressed, and for 1 year if unsuppressed.
Records	Records (normalized logs) are stored in the partitions whose names begin with the string sec_records. There is one partition for each record type. There is no additional charge for storage of records.	90 days	Records attached to signals are viewable in Cloud SIEM as long as the signals are viewable (see above). Records not attached to signals are viewable for only 90 days.
Raw logs	Raw logs reside in your default partition in Sumo Logic.	The retention period defined for your default partition. This period is customer-configurable.	Raw logs are not viewable in Cloud SIEM. (Data from raw logs is normalized before appearing as records in Cloud SIEM.)

Custom retention periods

You can request retention periods different from those declared in the table above, as long as the retention period requested is greater than 1 day and less than 5000 days.

In order to do that, open a Support ticket with your request.