Data Durability and Availability in Stellar Cyber

Your data is important to you, and it's also important to us. This topic helps you understand how Stellar Cyber stores your data in the managed version of the product, describing how your licenses determine data availability and restoration speed, as well as how to request a data restore. See the following topics for details:

• License Types and Data Availability

• About Cold Storage

• Data Backup and Restore

• External Storage Destinations in On-Premises vs. Managed Deployments

• Using Data Sinks

License Types and Data Availability

The managed version of Stellar Cyber uses a platform license based on either ingestion volume or monitored assets:

• Volume – The license allows you to ingest a specified amount of data per day.
• Assets – The license allows you a specified number of daily active assets.

The platform license also determines the following:

• How long raw data is kept in hot storage.

• How long alerts and cases are kept in hot storage.

Convenient Starter Pack Licenses

Stellar Cyber provides convenient Starter Packs that provide a solid foundation on which to grow your deployment:

• The volume-based starter pack provides 30 days of hot storage for raw data, one year of hot storage for alerts and cases, and 100 GB of daily ingestion.

• The asset-based starter pack provides 30 days of hot storage for raw data, one year of hot storage for alerts and cases, and support for 3,000 monitored assets on a daily basis.

Extending the Starter Pack

Because the managed version of Stellar Cyber is cloud-based and provided as a service from Stellar Cyber, it's easy to add additional capacity as you grow:

• Add support for additional daily ingestion or assets.

• Add support for additional hot data in 30-day units.

Contact your Stellar Cyber account representative for help adding these features to your account.

About Cold Storage

Cold storage is not included in the Starter Pack but is available as an additional purchase with a default duration of one year. You can enhance your cold storage with the following features:

• Add support for additional cold storage in 30-day units.

• Increase the speed of data restore from cold storage.

  By default, data can be restored from cold to hot storage at the same speed at which it was ingested. So, if your account has support for 100 GB of daily ingestion, that means that Stellar Cyber can restore data from cold storage to hot at the rate of 100 GB per day. If that's not fast enough for your needs, contact your account representative to purchase accelerated restoration.

Choosing a Location for Cold Storage Export

By default, the managed version of Stellar Cyber stores cold data in OCI Object Storage managed by Stellar Cyber. If you prefer to store cold data in an external destination, submit a support request to Stellar Cyber Customer Success. You do not need to purchase the Cold Storage SKU, but Stellar Cyber charges a fee for managing the export. Contact your account representative for pricing details.

Data Backup and Restore

Data is purged from hot storage so that only the number of days corresponding to your license is kept in hot. As described above, the Starter Packs keep 30 days of raw data in hot storage, but you can always purchase space for more.

If you have purchased a Cold Storage license, Stellar Cyber stores incoming raw data in both hot and cold storage simultaneously. The default Cold Storage license keeps raw data in cold storage for a year by default. As with hot data, you can enhance your Cold Storage license to keep data in cold storage longer.

Alerts, cases, and assets remain in hot storage for a year, by default. You can search for any of these items without importing data from cold storage. However, searches that require aggregation on multiple fields require import from cold storage to extend beyond the raw data that's in hot storage. So, for example, if you want to perform a search showing the IP address that triggered the most alerts in the last 12 months, you must import the raw data from cold storage for those 12 months. Without doing so, the search could only show you that data for the IP address exists over the last 12 months.

Requesting a Restore from Cold Storage

You request a restore from cold storage by opening a Zendesk ticket with Customer Success. In response, the Stellar Cyber DevOps team will work to help you determine what data you need and start the restoration process.

Note the following:

• You work with Customer Success to specify how much data to restore and how quickly you need it.

• Requests to restore more than 5% of the total hot storage provided by your platform license incur additional charges.

• Once you submit your data restoration request, data will begin processing within a few hours.

How Quickly is Data Restored from Cold Storage?

By default, data can be restored from cold to hot storage at the same speed at which it was ingested. So, if your account has support for 100 GB of daily ingestion, that means that Stellar Cyber can restore data from cold storage to hot at the rate of 100 GB per day.

If that's not fast enough for your needs, you can work with Customer Success to purchase accelerated restoration.

External Storage Destinations in On-Premises vs. Managed Deployments

The table below summarizes the differences between external storage destinations available in both the on-premises and managed (SaaS) versions of Stellar Cyber. Note that the available destinations may vary depending on your deployment. The details are in the table below.

	Cold Storage	Data Sinks	SnowFlake Integration (Bring Your Own Data Lake)
On-Premises	User-configurable in the System | DATA MANAGEMENT | Data Management tabs.	Available by default. User-configurable in the System | DATA MANAGEMENT | Data Sinks page.	N/A
Managed (SaaS)	Available for purchase from Stellar Cyber. Default storage location is OCI Object Storage. You can choose your own location by submitting a request to Customer Support. You do not need to purchase the Cold Storage SKU in this case, but Stellar Cyber charges a fee for managing the export.	Available upon request by submitting a ticket to Customer Success.	Available upon request by submitting a ticket to Customer Success (feature is in Early Access Program status).
Primary Purpose	Medium- to long-term data retention and restoration. Cold data must be restored to Stellar Cyber before it can be analyzed.	Real-time export of logs/events to external systems.	Real-time streaming to Business Intelligence/analytics platforms
Export Timing	On-Premises – Data moves to cold storage after the user-configured hot retention time expires. Managed (SaaS) – Data is saved to Hot and Cold storage at the time of ingestion.	Near real-time.	Near real-time.
Storage Destination	On-Premises – S3, OCI, and Azure, among others. Managed (SaaS) – OCI Object Storage, by default. Choose your own location by submitting a request to Customer Support.	Refer to the Data Sinks page for a list. Available destinations include: Cloud Storage (AWS S3, Azure Blob, GCP, General S3, OCI) SIEM (Splunk, ElasticSearch) Other (Kafka)	Snowflake Snowpipe
Data Types	Raw data (snapshot-based data).	Raw Data, Alerts, Assets, Users.	Data collected from network traffic, logs, endpoints, cloud services, and threat intelligence feeds.
Per-Tenant Handling	Configurable per-tenant.	Tenant-level handling available with a limit on the number of supported destinations.	N/A

Using Data Sinks

Data Sinks are available in managed deployments but require manual activation through a support request to Stellar Cyber Customer Success. Use Data Sinks to export data to external storage systems or SIEMs.Stellar Cyber supports tenant-level handling, but limits the number of export destinations at the site level. Contact Customer Success to determine the destination limit for your deployment.