06-04-2024 10:09 AM - edited 06-04-2024 10:14 AM
Starting with incidents, yes it's not documented to that extent, but here are some known facts.
- Technically UI vs API is not that different, but UI load and refresh takes time. And if you try to delete lots(hundreds) of incidents by selecting all, you may experience timeouts.
- For /incident/batchDelete on the latest version(6.12) the default limit is 100 incidents afaik. However, you can raise this in the post request using the page/size keys. (For example: {"page":0,"size":batch_size,"query":"some_query", "lastSeen": {"fromDate":"2022-07-16T22:00:00Z"}) So, it requires a programmatic approach to use with paging in loops.
- There is this community pack: https://cortex.marketplace.pan.dev/marketplace/details/CommunityCommonScripts/
and there is an automation called DeleteIncidentsByQuery in it, which uses Core-API >'core-delete-incidents'. Again it can be used in a loop, command has a size parameter.
- Finally: We always advise archiving when a customer wants to get rid of lots of incidents & data. When possible use: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.12/Cortex-XSOAR-Administrator-Guide/Free-u...
For Indicators, I don't know an automation called BulkApi. But /indicators/batchDelete is almost the same as incidents. The default limit should be again 100(never tested) and you need to programmatically process higher batches using the page/size keys in a loop creating new pages with the limit of 100 iocs/iteration. (For example: {"page": 0, "size": batch_size, "query": "some_query","sort": [{"field": "calculatedTime","asc": False}]})
But remember that, retention setting is also a way to manage indicator lifecycle(when possible).
