Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Use data retention strategies to schedule and manage your database cleanup

Manage the records in your PostgreSQL database with the configure_db_maintenance command..

Use configure_db_maintenance to set options for the db_maintenance tool. A set of options is called a strategy. Strategies are applied to models.

Strategy
The set of configurable parameters that define when a record should be deleted, either automatically or when the db_maintenance tool runs.
Model
Any PostgreSQL database record or Django object is called a model. Models have characteristics that define what sort of information the model represents.
Model name Description
container Containers. See About .
indicator Indicators or Indicators of Compromise. See About .
container_audit_trail, audit Audit logs. See Enable and download audit trail logs in .
device_profile Mobile device profiles. See Enable or disable registered mobile devices.
notification Notifications.
playbook_run_log Records of playbook runs.

To use the configure_db_maintenance.py tool, follow these steps:

  1. SSH to your instance.
    SSH <username>@<phantom_hostname>
  2. Use the following tool to manage data deletion.
    phenv configure_db_maintenance
  3. Append your desired argument to the data retention tool command line to schedule, list, enable, or disable data retention actions.

On clustered systems, the configure_db_maintenance.py tool can be run from any node, but only the leader node runs the data retention strategy.

Data retention tool arguments

Append the --help argument to your tool to get information on the data retention tool arguments;

phenv configure_db_maintenance --help

Optional arguments

Use these optional arguments to manage your data retention strategy.

Argument Description
-h, --help Show this help message and exit.
--schedule Schedule data retention to execution schedule.
--cron-schedule <CRON_SCHEDULE> How often to query Data Retention Schedule. Must be a cron schedule expression.
--list List strategies in data retention strategy.
--target-model <TARGET_MODEL>, -m <TARGET_MODEL> Name of model to run action on.
-v {0,1,2,3}, --verbosity {0,1,2,3} Verbosity level; 0=minimal output, 1=normal output, 2=verbose output, 3=very verbose output.

You must specify the target model to add, delete, enable, or disable a model.

Add a model to your data retention strategy

The following arguments are required to successfully add a model to the data retention strategy.

Argument Description
--add Add a model strategy to the data retention strategy. You must supply the following sub-arguments:
  • -m the name of the model to add; container, indicator, audit, device_profile, notifications, or playbook_run_log.
  • -u unit of time; hours,days,months, or years.
  • -a number of time units to use
--age-to-keep-time-unit {hours,days,months,years}, -u {hours,days,months,years} Set the unit of time to use, hours, days, months, or years.
--max-age-to-keep <MAX_AGE_TO_KEEP>, -a <MAX_AGE_TO_KEEP> How many units of time to keep model.
--disabled Set the strategy to disabled when it is created.

If you add a data retention strategy for a model that already has one, the new strategy replaces the existing strategy.

Edit a model's entry in your data retention strategy

The following arguments are required to edit a model in the data retention strategy.

Argument Description
--delete Delete a model strategy from the data retention strategy. You must supply the -m argument with the name of the model to delete.
--enable Enable a model strategy in the data retention strategy. You must supply the -m argument with the name of the model to enable.
--disable Disable a model strategy in the data retention strategy. You must supply the -m argument with the name of the model to disable.

Examples

Delete indicator records after three months:

phenv configure_db_maintenance --add -m indicator -u months -a 3

Change the schedule on which configure_db_maintenance runs:

phenv configure_db_maintenance --schedule --cron-schedule "0 * * * *"
Last modified on 18 October, 2024
Use Python scripts and the REST API to manage your deployment   An overview of the Splunk SOAR (On-premises) clustering feature

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters