09-14-2023 03:42 AM
Hello,
We're feeding XSOAR with a lot of incidents. To avoid this, we created a job which deletes incidents each week. However, due to the amount of them, the command "SearchIncidentsV2" fails, it's no capable to search them. How can we free space by deleting incidents in a massive way?
09-20-2023 07:48 AM
In this case you'll want to archive the older database partitions using this method:
It's an all or nothing approach however, as the partitions contain all Incidents for the given month.
09-20-2023 11:16 PM
Thanks for your answer,
The main problem if we try to archive is that we can't apply retention policies for each type of incidents. Some incidents are kept inside XSOAR for 2 years and others are not needed anymore in 1 week. How can we apply this selective archiving?
10-09-2023 10:33 PM
It's not possible to selectively archive like this. Archived data can be restored later if needed so that's probably the approach I'd take for data that needs a longer retention. Exporting (only) the incidents with longer retention requirements is also an option.
Please also note that, at least for XSOAR 6 with Bolt, deleting an incident will not free space in the database associated with that incident. Additionally, files attached to incidents can be deleted separately with standard file system commands: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.8/Cortex-XSOAR-Administrator-Guide/Archive...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
