All data sent to Sumo Logic is indexed together within a defined partition or within a general partition. To help maintain compliance the indexes created for these partitions are then stored in a Write Once Read Many (WORM) storage, which cannot be modified after creation.
It is highly recommended that before any action is requested from Sumo Logic, the ingest of the sensitive data has been stopped so that this data deletion or backend filter request does not have to be repeated. If the data ingestion cannot be addressed at the source, you can implement masking rules to mask the sensitive data before ingestion into Sumo Logic. Please note that the masking rules take effect only for data ingested going forward.
There are 3 options to control the access of sensitive data:
1. Create role filter:
An alternative to requesting Sumo Logic to delete your message data is to create Role filters that will hide the unwanted data so it is not searchable within the account.
The following article can give you more information on the role filter:
2. Hiding the data using backend filter:
Hiding the data org-wide and creating a backend filter to always hide results.
The mechanism Sumo Logic uses to hide specific data is based on a keyword search. The Customer provides a keyword search that returns, with as much specificity as possible, the messages the customer wants to ensure will NEVER be returned in ANY search, along with a time range that includes a FROM and a TO time. With that information, Sumo Logic Engineering will deploy a filter on the backend that affects EVERY search query run within the customer account. No messages meeting the filter criteria will ever appear in any search, no matter how the search is initiated or who initiates the search. This includes alerts, scheduled searches, API calls, dashboards, UI queries, etc.
The existence of the backend filter will not be visible to anyone at the customer. There is also no way for any user to remove or alter the filter. This can only be done by a request to Sumo Logic Support, and the Support team will double-verify any such request with the listed customer account owner.
NOTE: You can apply multiple backend filters, but the time range will be the same for all filters. Sumo Logic is not supporting multiple time ranges for multiple backend filters.
To proceed with this method we will need the following data:
1. Timeframe with start and end time in UTC and in epoch 13 digit epoch timestamp format (milliseconds). NOTE that if this request is NOT the first request for the account, the time range will consolidate the time ranges of prior backend filter implementations UNLESS the retention of the previous filter has expired. For example, if the first filter was applied for a time range from January 15 to January 25 and the second filter was required for a time range from February 10 to February 20, it will be a superset of both the back-end filters time range and the time range to be applied will be January 15 to February 20 UNLESS the data for January 15 to 25 has been deleted per the retention settings of the partition. Unfortunately, the current functionality does not support multiple time ranges.
2. The query that includes the source category or collector and keywords (without any pipe or parse statements). NOTE that if this request is NOT the first request for the account, the queries for each filter request will have to be consolidated. For example, if the first filter used "(query 1)" and the second filter used "(Query 2)", then the consolidated query would have the structure
!((Query 1) OR (Query 2))
We recommend using Share option in the UI to provide the targeted messages that are to be hidden.
3. Verify that the query showing sensitive data results was visible when the "Use Receipt time" checkbox was enabled.
4. Please Cc an additional administrator on your support request to provide secondary approval.
3. Delete the data for a specific time range:
You may request data be deleted from your account. If you have Views and Partitions set up, Sumo Logic can delete data from that specific View or Partition. Otherwise, the deletion will cover ALL data delivered into the account within a specified time range.
As of now, it is not possible to delete only specific messages sent into Sumo Logic.
Any request for data deletion will need to be sent to Sumo Logic Support via your account administrator. Please include the following information when making a request for data deletion. It will take around 1-2 business days to process this request, once we receive the below information and approval.
- The name of the partition containing the data to be removed.
- The time range for which the data has to be deleted in UTC and in 13 digit epoch timestamp format in milliseconds
- Verify that data to be deleted is based on ingestion or receipt time by running the query with "Use receipt time" checkbox enabled.
- Please CC an additional administrator on your support request to provide secondary approval from him/her.