cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Editing DLP Incident Table After Wrong Rule

Jump to solution
After the dlp rule created by our customer, approximately 1.5 million incident occurred. Therefore, there has been a huge increase in the database. The rule is now disable. Is there a way to delete logs related to this rule in the database? How can we organize the huge database? We don't want any damage to other tables. We are waiting for your help. Regards,
1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Editing DLP Incident Table After Wrong Rule

Jump to solution

Hello and thank you for posting here!

The supported method for deleting these incidents would be to create a Purge Task in the DLP Incident Manager. This can be found under DLP Incident Manager > Incident Tasks > Purge Incidents. Here, you can create a new purge task and configure it to purge incidents based on specified criteria. In this case, if you wish to delete all of these incidents generated by the rule you referenced, you can select the rule name as seen in the attached screenshot. Additional criteria can be added if needed. 

Once created, run the DLP Purge Operational Events and Incidents server task. This will purge DLP incidents based on the criteria you've created. It should be noted that 1.5 million incidents will take a long time to purge so, I would recommend leaving the server task run until it has completed. 

Additionally, a copy of these incidents will also be stored in the Incidents History section of the DLP Incident Manager. If you wish to purge these incidents as well, a separate purge task criteria must be configured under the "Data in use/motion - History" section in Incident Tasks. Incident History also has its own server task named "DLP Purge History of Operation Events and Incidents".

View solution in original post

6 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Editing DLP Incident Table After Wrong Rule

Jump to solution

Hello and thank you for posting here!

The supported method for deleting these incidents would be to create a Purge Task in the DLP Incident Manager. This can be found under DLP Incident Manager > Incident Tasks > Purge Incidents. Here, you can create a new purge task and configure it to purge incidents based on specified criteria. In this case, if you wish to delete all of these incidents generated by the rule you referenced, you can select the rule name as seen in the attached screenshot. Additional criteria can be added if needed. 

Once created, run the DLP Purge Operational Events and Incidents server task. This will purge DLP incidents based on the criteria you've created. It should be noted that 1.5 million incidents will take a long time to purge so, I would recommend leaving the server task run until it has completed. 

Additionally, a copy of these incidents will also be stored in the Incidents History section of the DLP Incident Manager. If you wish to purge these incidents as well, a separate purge task criteria must be configured under the "Data in use/motion - History" section in Incident Tasks. Incident History also has its own server task named "DLP Purge History of Operation Events and Incidents".

View solution in original post

Highlighted

Re: Editing DLP Incident Table After Wrong Rule

Jump to solution

First of all, thank you very much for your descriptive explanation. As you said, I created a rule-based incident task in my test environment. I ran DLP Purge Operational Events and Incidents server task. Then I ran "DLP Purge History of Operation Events and Incidents" server task. When I looked at the database and incident history, I still saw that the events were not deleted. Is there anything else I should do? Where could I be making mistakes?

Regards,

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Editing DLP Incident Table After Wrong Rule

Jump to solution

Would you mind providing some screenshots of the Rule Criteria you've created for your purge task? Also, do you see any errors when you view the details of the DLP Purge Operational Events and Incidents server task in your ePO Server Task Log?

Highlighted

Re: Editing DLP Incident Table After Wrong Rule

Jump to solution

I checked and there is no error on server task log. I attached screenshot



 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Editing DLP Incident Table After Wrong Rule

Jump to solution

It looks like you have the purge criteria configured correctly. Your second screenshot shows that the server task completed. However, if you click on the server task name in Server Task Log you should see more details. If you do this, do you see any information about incidents being purged?

Highlighted

Re: Editing DLP Incident Table After Wrong Rule

Jump to solution

Thank you for your help. When I checked again and I saw that related dlp rule purged. 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community