What is a difference between cold storage and hot storage in Cortex?

In the Cortex Data Lake (utilized by XDR and XSIAM), storage is tiered to balance performance and cost-efficiency.

Hot Storage: This is the high-performance tier where data is immediately available for searching and analysis. Queries run against hot storage are near-instantaneous. Typically, organizations keep the most recent 30 to 90 days of data in hot storage for active investigation.

Cold Storage: This is a cost-effective tier for long-term retention (compliance). Data in cold storage is compressed and archived. To query this data, it must first be "re-hydrated" or restored to a searchable state, which inherently takes more time than querying active logs in hot storage.

Correction: I have clarified that while both storage types contain the same log data, the access latency is the primary differentiator.