Merge pull request #2972 from SEKOIA-IO/Exalog_GA

Exalog doc : Revise data storage and retention documentation

Author: alexane-bougeardbebin-sekoia

docs/xdr/FAQ/data_storage_retention.md

@@ -1,43 +1,86 @@
 # Data storage and retention
 
-Sekoia.io uses a hybrid storage architecture to balance real-time detection performance with long-term compliance requirements. This system categorizes security events into two distinct tiers: Hot and Cold storage.
+Sekoia.io stores and indexes security events to support detection, investigation, and compliance. Two storage engines are available across Sekoia.io regions: **Hot/Cold storage** and **ExaLog**.
 
-## Hot storage
+## Region availability
 
-Hot storage contains your most recent events. This tier is mandatory for all Sekoia.io Defend plans and is optimized for immediate operational use.
+The storage engine available to your workspace depends on your region and provisioning date.
 
-* **Availability**: Events are immediately searchable for threat hunting and detection.
-* **Retention**: The default period is 30 days, extendable up to 365 days.
-* **Performance**: High-performance indexing for rapid querying.
+| Region | Storage engine | Notes |
+|--------|---------------|-------|
+| FRA1 | ExaLog | Workspaces created from May 2026 onward. Workspaces created before May 2026 are being migrated progressively. |
+| SGP1 | ExaLog | All workspaces. |
+| FRA2 | Hot/Cold storage | — |
+| EUR1 | Hot/Cold storage | — |
+| MCO1 | Hot/Cold storage | — |
+| UAE1 | Hot/Cold storage | — |
+| USA1 | Hot/Cold storage | — |
 
-## Cold storage
+!!! tip "FRA1 workspaces created before May 2026"
+    If your workspace is on FRA1 and was provisioned before May 2026, you can request migration to ExaLog. Migration gives you a unified retention window, direct search across all retained events, and no rehydration step for older data. Contact your Customer Success Manager or see [Migrate your workspace to ExaLog](/xdr/FAQ/migrate_workspace_to_exalog.md).
 
-Cold storage (or "Archives") is an optional tier for older events. It provides a cost-effective way to store data for compliance without maintaining it in the active search index.
+!!! note "Rollout to additional regions"
+    ExaLog is being rolled out to additional regions. When ExaLog becomes available in a new region, only events ingested after the activation date are indexed in ExaLog. Existing data is not migrated retroactively. Full capabilities become available progressively as your original retention window expires.
 
-* **Availability**: Events are not immediately searchable. You must trigger a rehydration process to access this data.
-* **Retention**: Combined retention (Hot + Cold) typically ranges from 30 to 365 days.
-* **Resiliency**: Sekoia.io maintains the same level of data resiliency for both storage tiers.
+---
 
-## View your storage capacity
+## Hot/Cold storage
 
-You can verify the specific storage durations included in your subscription directly within the platform.
+Workspaces running Hot/Cold storage use a two-tier model that separates active, searchable events from archived data.
 
-To view your current plan:
+### Hot storage
 
-1.  Navigate to **Settings > Subscription**.
-2.  Locate the **Storage** section to see your allocated days for each tier.
+Hot storage contains your most recent events and is optimized for immediate operational use.
+
+- **Availability**: Events are immediately searchable for threat hunting and detection.
+- **Retention**: The default period is 30 days, extendable up to 365 days.
+- **Performance**: High-performance indexing for rapid querying.
+
+### Cold storage
+
+Cold storage (also called "Archives") is an optional tier for older events. It provides a cost-effective way to retain data for compliance without keeping it in the active search index.
+
+- **Availability**: Events are not immediately searchable. You must trigger a rehydration process to access archived data.
+- **Retention**: Combined retention (Hot + Cold) typically ranges from 30 to 365 days.
+- **Resiliency**: Sekoia.io maintains the same level of data resiliency for both storage tiers.
+
+### View your storage capacity
+
+You can verify the storage durations included in your subscription directly in the platform.
+
+1. Navigate to **Settings > Subscription**.
+2. Locate the **Storage** section to see your allocated days for each tier.
 
 ![Navigation to Settings > Subscription to view hot and cold storage days](/assets/xdr/storage_subscription.png)
 
+### Storage limitations
+
+!!! warning "Permanent data deletion"
+    Sekoia.io cannot retrieve data that exceeds your defined storage thresholds. If your total retention is 120 days, any data older than this limit is permanently deleted and cannot be recovered.
+
+Retention periods are strictly governed by your contractual agreement.
+
+---
+
+## ExaLog
 
+ExaLog is Sekoia.io's log storage and search engine for high-volume workloads. It provides a unified retention window with no distinction between hot and cold tiers. All events within your configured retention period are directly queryable from the **Events** page without any rehydration step.
 
-## Storage limitations
+| Characteristic | Details |
+|---|---|
+| Retention | Configurable retention window; events linked to alerts or cases are preserved beyond the standard window |
+| Search | All events are searchable within the retention period without delay |
+| Encryption | Data is encrypted at rest; Sekoia.io manages the encryption keys |
+| Export | Large-volume exports to S3-compatible storage are supported (available June 2026) |
 
-Retention periods are strictly governed by your contractual agreement. 
+To learn more about ExaLog capabilities, see [ExaLog storage engine](/xdr/FAQ/exalog_storage_engine.md).
 
-!!! warning "Data Permanence"
+---
 
-    Sekoia.io cannot retrieve data that exceeds your defined storage thresholds. For example, if your total retention is 120 days, any data older than this limit is permanently deleted and cannot be recovered by Support.
+## Related articles
 
-## Next steps
-To learn how to access your archived events for a specific investigation, follow our guide to [restore data from cold storage](/xdr/FAQ/restore_data_cold_storage.md).
+- [ExaLog storage engine](/xdr/FAQ/exalog_storage_engine.md) — Learn about ExaLog's capabilities and how it differs from Hot/Cold storage.
+- [Migrate your workspace to ExaLog](/xdr/FAQ/migrate_workspace_to_exalog.md) — Step-by-step guide to checking your current storage model and requesting a migration to ExaLog.
+- [Restore data from cold storage](/xdr/FAQ/restore_data_cold_storage.md) — How to rehydrate archived events from cold storage.
+- [Events page](/xdr/features/investigate/events.md) — How to search and filter events in the Sekoia.io investigation interface.
+- [Understand massive event export](/xdr/features/investigate/event_export.md) — How to export large volumes of events to an external S3-compatible storage.

docs/xdr/FAQ/exalog_storage_engine.md

@@ -0,0 +1,55 @@
+# ExaLog storage engine
+
+ExaLog is Sekoia.io's log storage and search engine, designed to give security analysts and MSSPs fast, scalable, and cost-efficient event querying across extended retention windows. All events within your configured retention window are directly queryable at any time from the **Events** page, SOL queries, and notebooks — without any intermediate step.
+
+For information on which regions and workspaces use ExaLog, see [Data storage and retention](/xdr/FAQ/data_storage_retention.md).
+
+## How ExaLog works
+
+ExaLog provides a unified retention window: there is no distinction between recent and older events within the retention period. All data is indexed in a single layer and available for immediate search.
+
+Events linked to alerts or cases are preserved in dedicated indexes beyond the standard retention window, ensuring that forensic data remains available for investigation even after the original retention period expires.
+
+## Capabilities
+
+### Event search
+
+ExaLog handles all search queries initiated from the **Events** page, including searches scoped to events involved in alerts.
+
+!!! tip "Get the most out of extended retention"
+    Always specify a time range in your queries. Without one, a query targets your entire retention window, which can significantly slow down results.
+
+### Retrohunt and anomaly detection
+
+You can run retrohunt queries and anomaly detection jobs across the full configured retention window, enabling you to hunt for threats over extended historical datasets without being limited by shorter query horizons.
+
+### Detection rules and correlation
+
+Detection rules and correlation logic operate over the full ExaLog retention window, enabling rule-based detections to cover longer time ranges.
+
+## Benefits
+
+| Benefit | Description |
+|---|---|
+| Unified retention | All events within the retention window are immediately searchable with no rehydration required |
+| Extended retention for alert-related events | Events linked to alerts or cases are preserved beyond the standard retention window |
+| Search performance | Search performance is equivalent to or better than the Hot/Cold storage model |
+| Cost efficiency | The storage model reduces indexing and storage costs, enabling Sekoia.io to offer competitive retention pricing |
+| Encryption | Data is encrypted at rest; Sekoia.io manages the encryption keys |
+| Multi-region support | ExaLog is being rolled out to all deployment regions |
+
+## Availability and migration
+
+ExaLog reached general availability on FRA1 and SGP1 regions in May 2026. All new workspaces on these regions are provisioned on ExaLog. Existing FRA1 workspaces are migrated progressively.
+
+For a full breakdown of availability by region, see [Data storage and retention](/xdr/FAQ/data_storage_retention.md).
+
+To initiate or check the status of your workspace migration, contact your Customer Success Manager or follow the steps in [Migrate your workspace to ExaLog](/xdr/FAQ/migrate_workspace_to_exalog.md).
+
+## Related articles
+
+- [Data storage and retention](/xdr/FAQ/data_storage_retention.md) — Overview of both storage models and region availability.
+- [Migrate your workspace to ExaLog](/xdr/FAQ/migrate_workspace_to_exalog.md) — Step-by-step guide to checking your current storage model and requesting a migration.
+- [Events page](/xdr/features/investigate/events.md) — How to search and filter events in the Sekoia.io investigation interface.
+- [Understand massive event export](/xdr/features/investigate/event_export.md) — How to export large volumes of events to an external S3-compatible storage.
+- [Retrohunt](/xdr/features/detect/rules_catalog.md) — How to run retrohunt queries across historical event data to identify past threats.

docs/xdr/FAQ/migrate_workspace_to_exalog.md

@@ -0,0 +1,51 @@
+# Migrate your workspace to ExaLog
+
+This article explains how to check whether your workspace uses ExaLog and how to request a migration from the legacy Hot/Cold storage model.
+
+ExaLog is Sekoia.io's next-generation storage engine. Migrating gives you access to a unified retention window, improved search performance, and extended retention for alert-related events without any rehydration step.
+
+## Prerequisites
+
+- Your workspace is on FRA1 region.
+- Your workspace was created before May 2026 (workspaces created from May 2026 onward on FRA 1 and SGP1 are already on ExaLog).
+- You have a Customer Success Manager assigned to your account.
+
+## Check your current storage model
+
+To verify which storage model your workspace uses:
+
+1. Navigate to **Settings > Subscription**.
+2. Locate the **Storage** section.
+3. If you see separate **Hot storage** and **Cold storage** entries, your workspace uses the legacy model and is eligible for migration.
+   
+![Navigation to Settings > Subscription to view hot and cold storage days](/assets/xdr/storage_subscription.png)
+
+## Request migration to ExaLog
+
+!!! note "Migration timeline"
+    Migration is performed by our teams. The timeline depends on your workspace size and region availability. Your Customer Success Manager will confirm the schedule before any action is taken.
+
+1. Contact your Customer Success Manager directly or through the Sekoia.io support portal.
+2. Request migration of your workspace to ExaLog.
+3. Confirm the migration schedule with your Customer Success Manager.
+
+Your Customer Success Manager will coordinate the migration and notify you when your workspace is ready.
+
+## What to expect after migration
+
+Once your workspace is migrated to ExaLog:
+
+- All events within your configured retention window are immediately searchable from the **Events** page.
+- The rehydration process for archived events is no longer required.
+- Retrohunt queries and anomaly detection jobs operate across the full retention window.
+- Events linked to alerts or cases are preserved beyond the standard retention window.
+
+!!! note "Historical data availability"
+    Events ingested before the migration date become available in ExaLog progressively, as your original retention window transitions. Full ExaLog capabilities are available once the transition is complete.
+
+## Related articles
+
+- [ExaLog storage engine](/xdr/FAQ/exalog_storage_engine.md): Learn about ExaLog's capabilities, benefits, and how it differs from the legacy Hot/Cold model.
+- [Data storage and retention](/xdr/FAQ/data_storage_retention.md): Overview of both the legacy Hot/Cold model and ExaLog, with guidance on which applies to your workspace.
+- [Restore data from cold storage](/xdr/FAQ/restore_data_cold_storage.md): How to rehydrate archived events from cold storage on legacy workspaces.
+- [Events page](/xdr/features/investigate/events.md): How to search and filter events in the Sekoia.io investigation interface.

mkdocs.yml

@@ -220,15 +220,20 @@ nav:
   - Use your own CTI in Sekoia.io: xdr/usecases/use_your_own_cti.md
   - Investigate overusage: xdr/usecases/playbook/investigate_overusage.md
   - Log volume reduction strategies: xdr/usecases/playbook/log_volume_reduction_strategies.md
+
+
 - FAQ and troubleshooting:
   - General: xdr/FAQ.md
   - Alerts: xdr/FAQ/Alerts_qa.md
   - Events:
     - Events FAQ: xdr/FAQ/get_events.md
     - Events QA: xdr/FAQ/Events_qa.md
     - Facing issues with logs collection: xdr/FAQ/Log_collection_Troubleshoot.md
+  - Storage:
     - Data storage and retention: xdr/FAQ/data_storage_retention.md
     - Restore Data from cold storage: xdr/FAQ/restore_data_cold_storage.md
+    - Understand Exalog storage engine: xdr/FAQ/exalog_storage_engine.md
+    - Migrate to Exalog: xdr/FAQ/migrate_workspace_to_exalog.md
   - Intelligence:
     - Detection: xdr/FAQ/intelligence/Detection_qa.md
     - Questions about IoC revokation: xdr/FAQ/intelligence/revoke_ioc.md