Hindsight

Hindsight is a feature that lets you retain your data beyond the standard retention period of 7, 15, or 30 days, at an additional cost. Hindsight customers are charged for the storage of that data and for queries that cover the data. Any data kept beyond the standard retention period is considered to be Hindsight data.

To start using Hindsight, contact your Sales Executive or scalyr-sales@sentinelone.com.

Hindsight is configured for a particular team account to which data is being sent, for a set number of days (including, not beyond standard retention). For example, a customer with a standard retention period of 30 days and a Hindsight period of 365 days will have their data stored and available to queries for 365 days. They will be charged Hindsight costs for storing the data beyond 30 days, and for any queries that access that data.

Storage

Data storage is billed at the approximate cost of keeping it in Amazon S3.

Queries

User actions that trigger queries of Hindsight data will incur a cost based on the amount of data that is searched by the queries. Such actions include:

  • Search: Searching from any search page (events, graph, or distribution)
  • Power Query: Power Queries that are combined using `join` or `union` are billed separately.
  • Dashboard: Queries that are used to generate dashboard plots will only be billed the first time they are run; after that, the Summary Service is used to update their data. Dashboard elements that do not use the Summary Service and that search Hindsight data will result in billable queries each time the dashboard is displayed. Those elements include: Breakdown graphs, graphs backed by Power Queries, tables, big numbers, and pie and donut charts.

Users will not be charged for:

  • Pagination of search results (scrolling up/down to see more log lines)
  • Queries used to generate alerts
  • Queries made against an existing time series
  • Billing-related queries
  • Queries made by SentinelOne (for troubleshooting, reporting, etc)

Billing

In order to view your Hindsight costs, go to the Billing page. If you have Hindsight enabled, you will see a box that shows a summary of Hindsight storage and search costs for the current billing period.

Itemized costs for storage can be viewed by clicking the "View Details" link below Storage. The table is initially shown in reverse order by date, with the most recent date first. The order that the entries are shown can be changed by clicking on a column header.

Itemized costs for searches can be viewed by clicking the "View Details" link below Search on demand. This table shows each search that covered Hindsight data (thus incurring a Hindsight cost) in reverse order of when it was run. The most recent search appears first. The table has quite a few columns, and can be sorted by any of them.

The columns are:

  1. Date: The date the search was run
  2. User: The logged-in user who ran the search. The domain name of the email is only shown on hover.
  3. Data: The amount of data that was searched
  4. Cost: The cost of the search (in USD)
  5. Query: The filter for the search
  6. Time Range: The start and end times of the search
  7. Type: The general type of the search. It can be one of:
  • Search - a search from the logs search page
  • Graph - a search from the graph or distribution search page
  • PowerQuery - a Power Query
  • Dashboard - a search from a dashboard element
  • Summary Service - the initial search used to generate a dashboard plot for the first time