Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Use data retention strategies to schedule and manage your database cleanup

Manage the records in your PostgreSQL database with the configure_db_maintenance subcommand of manage.py.

Use configure_db_maintenance to set options for the db_maintenance tool. A set of options is called a strategy. Strategies are applied to models.

Strategy
The set of configurable parameters that define when a record should be deleted, either automatically or when the db_maintenance tool runs.
Model
Any PostgreSQL database record or Django object is called a model. Models have characteristics that define what sort of information the model represents.
Model name Description
container Containers. See About .
indicator Indicators or Indicators of Compromise. See About .
container_audit_trail, audit Audit logs. See Enable and download audit trail logs in .
device_profile Mobile device profiles. See Enable or disable registered mobile devices.
notification Notifications.
playbook_run_log Records of playbook runs.

To use the configure_db_maintenance.py tool, follow these steps:

  1. SSH to your instance.
    SSH <username>@<phantom_hostname>
  2. Use the following tool to manage data deletion based on your installation.
    1. For an unprivileged installation, use this command:
      phenv python /opt/phantom/www/manage.py configure_db_maintenance
    2. For a privileged installation, use this command:
      sudo phenv python /opt/phantom/www/manage.py configure_db_maintenance
  3. Append your desired argument to the data retention tool command line to schedule, list, enable, or disable data retention actions.

On clustered systems, the configure_db_maintenance.py tool can be run from any node, but only the leader node runs the data retention strategy.

Data retention tool arguments

Append the --help argument to your tool to get information on the data retention tool arguments;

phenv python /opt/phantom/www/manage.py configure_db_maintenance --help

Optional arguments

Use these optional arguments to manage your data retention strategy.

Argument Description
-h, --help Show this help message and exit.
--schedule Schedule data retention to execution schedule.
--cron-schedule <CRON_SCHEDULE> How often to query Data Retention Schedule. Must be a cron schedule expression.
--list List strategies in data retention strategy.
--target-model <TARGET_MODEL>, -m <TARGET_MODEL> Name of model to run action on.
-v {0,1,2,3}, --verbosity {0,1,2,3} Verbosity level; 0=minimal output, 1=normal output, 2=verbose output, 3=very verbose output.

You must specify the target model to add, delete, enable, or disable a model.

Add a model to your data retention strategy

The following arguments are required to successfully add a model to the data retention strategy.

Argument Description
--add Add a model strategy to the data retention strategy. You must supply the following sub-arguments:
  • -m the name of the model to add; container, indicator, audit, device_profile, notifications, or playbook_run_log.
  • -u unit of time; hours,days,months, or years.
  • -a number of time units to use
--age-to-keep-time-unit {hours,days,months,years}, -u {hours,days,months,years} Set the unit of time to use, hours, days, months, or years.
--max-age-to-keep <MAX_AGE_TO_KEEP>, -a <MAX_AGE_TO_KEEP> How many units of time to keep model.
--disabled Set the strategy to disabled when it is created.

If you add a data retention strategy for a model that already has one, the new strategy replaces the existing strategy.

Edit a model's entry in your data retention strategy

The following arguments are required to edit a model in the data retention strategy.

Argument Description
--delete Delete a model strategy from the data retention strategy. You must supply the -m argument with the name of the model to delete.
--enable Enable a model strategy in the data retention strategy. You must supply the -m argument with the name of the model to enable.
--disable Disable a model strategy in the data retention strategy. You must supply the -m argument with the name of the model to disable.

Examples

Delete indicator records after three months:

phenv python /opt/phantom/www/manage.py configure_db_maintenance --add -m indicator -u months -a 3

Change the schedule on which configure_db_maintenance runs:

phenv python /opt/phantom/www/manage.py configure_db_maintenance --schedule --cron-schedule "0 * * * *"
Last modified on 08 March, 2023
Tune performance by managing features   Create custom status labels in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters