Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Use data retention strategies to schedule and manage your database cleanup

Use the data retention tool configure_db_maintenance.py as a single tool for setting scheduled and automatic deletion of unused or outdated data from the PostgreSQL database. This tool works with all models: containers, indicators, audit logs, device profiles for mobile registration, notifications, and playbook run records.

Model
Any item that is a record in the PostgreSQL database. A model is defined by a set of characteristics that determine what kind of information the record represents. For example, a container is a model for data retention strategies.
Strategy
The configurable parameters that define when a record should be deleted when the tool is run, or to define when records should be deleted automatically.

To use the configure_db_maintenance.py tool, follow these steps:

  1. SSH to your instance.
    SSH <username>@<phantom_hostname>
  2. Use the following tool to manage data deletion based on your installation.
    1. For an unprivileged installation, use this command:
      phenv python /opt/phantom/www/manage.py configure_db_maintenance
    2. For a privileged installation, use this command:
      sudo phenv python /opt/phantom/www/manage.py configure_db_maintenance
  3. Append your desired argument to the data retention tool command line to schedule, list, enable, or disable data retention actions.

On clustered systems, the configure_db_maintenance.py tool can be run from any node, but only the leader node runs the data retention strategy.

Data retention tool arguments

Append the --help argument to your tool to get information on the data retention tool arguments;

phenv python /opt/phantom/www/manage.py configure_db_maintenance --help

Optional arguments

Use these optional arguments to manage your data retention strategy.

Argument Description
-h, --help Show this help message and exit.
--schedule Schedule data retention to execution schedule.
--cron-schedule CRON_SCHEDULE How often to query Data Retention Schedule. Must be a cron schedule expression.
--list List strategies in data retention strategy.
--target-model TARGET_MODEL, -m TARGET_MODEL Name of model to run action on.
-v {0,1,2,3}, --verbosity {0,1,2,3} Verbosity level; 0=minimal output, 1=normal output, 2=verbose output, 3=very verbose output.

You must specify the target model to add, delete, enable, or disable a model.

Add a model to your data retention strategy

The following arguments are required to successfully add a model to the data retention strategy.

Argument Description
--add Add a model strategy to the data retention strategy. You must supply the following sub-arguments:
  • -m the name of the model to add {container, indicator, audit, or device_profile}
  • -u unit of time {hours,days,months,years}
  • -a number of time units to use
--age-to-keep-time-unit {hours,days,months,years}, -u {hours,days,months,years} Unit of time.
--max-age-to-keep MAX_AGE_TO_KEEP, -a MAX_AGE_TO_KEEP How many units of time to keep model.
--disabled Disable the strategy on creation.

If you add a data retention strategy for a model that already has one, the new strategy replaces the existing strategy.

Edit a model's entry in your data retention strategy

The following arguments are required to edit a model in the data retention strategy.

Argument Description
--delete Delete a model strategy from the data retention strategy. You must supply the -m argument with the name of the model to delete.
--enable Enable a model strategy in the data retention strategy. You must supply the -m argument with the name of the model to enable.
--disable Disable a model strategy in the data retention strategy. You must supply the -m argument with the name of the model to disable.

Examples

Delete indicator records after three months:

phenv python /opt/phantom/www/manage.py configure_db_maintenance --add -m indicator -u months -a 3

Change the schedule on which configure_db_maintenance runs:

phenv python /opt/phantom/www/manage.py configure_db_maintenance --schedule --cron-schedule "0 * * * *"
Last modified on 07 September, 2021
Tune performance by managing features   Create custom status labels in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters