Hot data is necessary for live security monitoring. Archive data is not available fastly. It takes days to make archive data live if the archive data time frame is more than 30 days in most of the SIEM solutions. As an example: SolarWinds said the attackers first compromised its development environment on Sept. 4, 2019. So, to investigate the SolarWinds case, we have to back to Sept. 4, 2019, from now on (July 13, 2021). In this case, we need at least 18 months of live data.
The second example of why hot data is critical is from the IBM data breach report. The average time to identify and contain a breach is 280 days, according to this report.
Hot data gives defenders the quick access they need for real-time threat hunting, but hot data is more expensive than the archive option in current SIEM solutions. Keeping data hot for SIEM use is inevitably one of the more expensive data storage options.
Surelog SIEM  solves this expensive problem. SureLog SIEM needs only 3 TB disk size for 12 months for a maximum of 2500 EPS . This is the best disk usage size in the SIEM market and the cheapest solution for hot data storage.