After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Use data retention strategies to schedule and manage your database cleanup
Manage the records in your PostgreSQL database with the configure_db_maintenance
command..
Use configure_db_maintenance
to set options for the db_maintenance
tool. A set of options is called a strategy. Strategies are applied to models.
- Strategy
- The set of configurable parameters that define when a record should be deleted, either automatically or when the
db_maintenance
tool runs. - Model
- Any PostgreSQL database record or Django object is called a model. Models have characteristics that define what sort of information the model represents.
Model name | Description |
---|---|
container
|
Containers. See About . |
indicator
|
Indicators or Indicators of Compromise. See About . |
container_audit_trail , audit
|
Audit logs. See Enable and download audit trail logs in . |
device_profile
|
Mobile device profiles. See Enable or disable registered mobile devices. |
notification
|
Notifications. |
playbook_run_log
|
Records of playbook runs. |
To use the configure_db_maintenance.py
tool, follow these steps:
- SSH to your instance.
SSH <username>@<phantom_hostname> - Use the following tool to manage data deletion.
phenv configure_db_maintenance - Append your desired argument to the data retention tool command line to schedule, list, enable, or disable data retention actions.
On clustered systems, the configure_db_maintenance.py
tool can be run from any node, but only the leader node runs the data retention strategy.
Data retention tool arguments
Append the --help
argument to your tool to get information on the data retention tool arguments;
Optional arguments
Use these optional arguments to manage your data retention strategy.
Argument | Description |
---|---|
-h, --help | Show this help message and exit. |
--schedule | Schedule data retention to execution schedule. |
--cron-schedule <CRON_SCHEDULE> | How often to query Data Retention Schedule. Must be a cron schedule expression. |
--list | List strategies in data retention strategy. |
--target-model <TARGET_MODEL>, -m <TARGET_MODEL> | Name of model to run action on. |
-v {0,1,2,3}, --verbosity {0,1,2,3} | Verbosity level; 0=minimal output, 1=normal output, 2=verbose output, 3=very verbose output. |
You must specify the target model to add, delete, enable, or disable a model.
Add a model to your data retention strategy
The following arguments are required to successfully add a model to the data retention strategy.
Argument | Description |
---|---|
--add | Add a model strategy to the data retention strategy. You must supply the following sub-arguments:
|
--age-to-keep-time-unit {hours,days,months,years}, -u {hours,days,months,years} | Set the unit of time to use, hours, days, months, or years. |
--max-age-to-keep <MAX_AGE_TO_KEEP>, -a <MAX_AGE_TO_KEEP> | How many units of time to keep model. |
--disabled | Set the strategy to disabled when it is created. |
If you add a data retention strategy for a model that already has one, the new strategy replaces the existing strategy.
Edit a model's entry in your data retention strategy
The following arguments are required to edit a model in the data retention strategy.
Argument | Description |
---|---|
--delete | Delete a model strategy from the data retention strategy. You must supply the -m argument with the name of the model to delete.
|
--enable | Enable a model strategy in the data retention strategy. You must supply the -m argument with the name of the model to enable.
|
--disable | Disable a model strategy in the data retention strategy. You must supply the -m argument with the name of the model to disable.
|
Examples
Delete indicator records after three months:
Change the schedule on which configure_db_maintenance
runs:
Tune performance by managing features | Create custom status labels in |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2
Feedback submitted, thanks!