Legacy Signal Forwarding Deprecation
Since July 2022, Signals generated by Cloud SIEM are automatically saved in a standardized
sec_signal index. This special partition is similar to the existing
sec_record indices in that, unlike data retained using the legacy Signal Forwarding feature, it is stored in a format that supports keyword search, nested attributes, and other standard log search features.
The new index is automatically generated and retained for a period of 2 years at no additional cost for all Cloud SIEM customers.
As a result, the optional legacy Signal Forwarding feature in Cloud SIEM will be deprecated on November 15, 2023. Existing data will not be deleted, but new Signals generated after that date will no longer be forwarded using that feature and the option will no longer be available. (Signals will continue to be forwarded automatically to
sec_signal.) Customers leveraging data forwarded using the legacy feature to generate dashboards (or for other use cases) will need to modify those applications to use the new
sec_signal index before then. Note that the content of the
sec_signal index is not identical to the content in data forwarded using the legacy option.
For more information about this change, and the differences between the two data sets, refer to our 2023 Cloud SIEM Signal Index Migration FAQ.