search close

Data Storage and Sampling

access_time Updated Jun 20, 2021

When our agent sends requests to our collectors, we store two types of data: timeseries data and individual request data.

Timeseries data

Timeseries data counts the number of tags (e.g. XSS, SQLi, 404s) observed per minute, while individual request data includes individual records of anonymized requests. Timeseries data powers graphs visible throughout the product:

Individual request data

While all timeseries data is stored and available in the product, a representative sample of individual request data is stored. Individual request data powers the search page:

And dashboard detail pages:

What data does Signal Sciences store?

All timeseries data sent to our collectors (powering graphs throughout the product) is stored.

Our product has three storage categories, depending on the types of signals the requests have been tagged with. The categories are all, sampled, and timeseries only.

All - All requests matching this storage category will be stored and available for reference throughout the console.

Sampled - A random sample of requests matching this storage category will be stored and available for reference throughout the console.

Timeseries only - Requests matching this storage category will not be stored. Timeseries data for all signals tagged to the request will be stored and visible in the dashboards, charts, etc.

Note: Timeseries-only data storage category is only available on agents 3.12 and above. Matching requests processed on earlier agents will be processed according to the Sampled data storage category.


Request signal type Description Storage category
Individual requests containing attack signals Any requests containing 1 or more attack signals (e.g. SQLi, XSS, etc.) All
Individual requests containing CVE signals Any requests containing 1 or more CVE signals applied by virtual patching templated rules All
Individual requests containing only anomaly signals Requests that contain only anomaly signals (e.g. 404, Tor traffic) but no attack or CVE signals Sampled
Individual requests containing custom signals Requests containing custom signals but no attack or CVE signals. See Custom Signals for more information about creating and using signals. Sampled
Individual requests containing only API and/or ATO templated rules signals, known as informational signals Requests which are tagged with only a specific set of API and/or ATO templated rules signals, and no custom, anomaly, attack, or CVE signals Timeseries only

Note: Any requests containing at least one attack or CVE signal will be stored, including requests that also have anomaly, informational, or custom signals.