cancel
Showing results for 
Search instead for 
Did you mean: 

Delete case from case management

Pretty sure I know the answer but, I am curious if there is a way to remove cases that were created in the built in case management functionallity. It appears as part of some kind of testing that a case was triggered for every alarm that was fired. I am unsure how the case management feature fits into our overall plans but I would at least like to start with a clean slate if we decide to use it.

If they cannot be removed, is there a way to easily close 400+ cases without touching each individually?

Thanks in advance.

Chris

9 Replies

Re: Delete case from case management

bump

danev
Level 7
Report Inappropriate Content
Message 3 of 10

Re: Delete case from case management

bump again

Re: Delete case from case management

Bump. Why is this still unanswered?

From what I've seen there is no way to close more than 1 case at a time. Closing each case requires SIEM to refresh as well, taking even more time. If you have to close a lot of cases created by a junk alarm it will take hours/days of time to do so and renders the case management feature useless until the junk alarm is fixed or stopped and all the cases are flushed out 1 at a time. It takes about 10 seconds to close a case in the case management window (need to wait for SIEM to refresh after each one, and then load the case when you open it). 400 cases could take over 60+ hours to close out. 

Is there really no way to close or delete these in bulk? If so, WHY?

aszotek
Level 10
Report Inappropriate Content
Message 5 of 10

Re: Delete case from case management

Yes, this is by design.

Case management functionality was requested to be fully auditable, for regulatory requirements.

Yes it's a major pain when badly set alarms flood your case management view, please use them carefully.

Re: Delete case from case management

They should at least have the ability to bulk change Case Status. That's a god awful design feature. Thankfully it wasn't me that created these. Someone is going to have fun spending the next 9 shifts closing each case one at a time... Basically this will cost us over 80 hours of labor. And SIEM was supposed to be this nicely automated tool. I guess you get what you pay for. In this case $500k+. Honestly, we should have our McAfee support rep sit here and close all of these one at a time.

Re: Delete case from case management

FYI if you have Platinum support, contact your support rep and have them send someone out to come close each junk case - They'll have to do it. This is the best solution to flushing out cases in bulk. 

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 8 of 10

Re: Delete case from case management

Hi dear community,

i'm not sure why no one answered about till now...

but the solution is simple.

ssh to the ESM

root

NGCP password

 

note: it's recommended to check before in a test environment before writing to the Prod environment.

 

## To get into the database on the ESM.

nsql /usr/local/ess/data/connect_esm.sql

 

## after the "opentime" you could choose or < or > to determine if you want to close cases older than x or after x.

update casemgt set status=2, closetime='09/04/2019 00:00:00' where opentime < '09/01/2019 00:00:00'

 

Best Regards👍👍👍

David.

Re: Delete case from case management

In order to showcase the situation when tasks and also delete the case work products, complete the next steps: In IBM Administration Console for Content Platform Engine, navigate to the proper url, broaden Object Stores, and just click the title of the IBM Case Manager goal object shop which has the situation that you would like to delete.
After growing the folders within the target object shop, navigate to Browse > Root folder > IBM Case Manager > Solution Deployments > My Solution > Case Types > Cases.
Get around on the job sequence folder: Year > Month > Day > quantity > task_sequence.
For performance reasons, situations produced on exactly the same day are filed under a folder with an arbitrary number between one and 0300. For instance, 2013 > seven > nineteen > 0166 > 000000100003. If a lot of cases are filed on exactly the same morning, you may have to utilize the Search feature of the Administration Console for Content Platform Engine and browse the target object shop to check out the situation.

Left-click the task_sequence. In the pane on the correct, click on the Tasks tab.
In the State column, finish the following measures for things that're in Failed or even Working express: Click the job.
Click on the Properties tab.
If the task is within the Failed status, and the worth of the Disabled State home is three, ignore this phase & continue with step six.
For Failed or Working chores which are not disabled, go down with the ID field and capture its value. You are going to need the job ID in a later action when you eliminate the corresponding workflow.
Go to the task_sequence tab and shut the process tab.
Click Promote State. Confirm that the job state is Complete.
On the Tasks tab, choose each process which is in Waiting or maybe State that is ready, after which simply click Delete.
Shut the window.
Start the procedure Analyzer by visiting Case Manager_target object shop > Administrative > Workflow System > Connection Points > connection_point. Right-click the hookup thing and select Administer Work Items. The administration connection_point window is shown.
In the Look for area, select Workflows.
In the In area, select Workflow Roster, and that is the exact same title as the answer.
In the Search mode area, select Edit (all fields).
Click Find Now.
Click View > Show/Hide Columns.
In the Column Selection windowpane, bring F_CaseTask to the Selected Columns field, after which click OK. Verify F_CaseTask is shown in the effects window.
Make use of the job ID from action 5.d to determine the workflow that's linked with every one of the activities which you promoted earlier. Right-click the workflow and after that simply click Tasks > Delete Work.
Click OK to confirm you would like to delete the energy item or items.
In order to reuse files from deleted cases, you have to eliminate the guide to the Associated Case item within the document home before you delete the situation. Or else, you are going to be unable to upgrade qualities on the supporting documents from deleted instances.
In Administration Console for Content Platform Engine, navigate on the job sequence folder: Year > Month > Day > quantity > task_sequence. For instance, 2013 > seven > nineteen > 0166 > 000000100003.
Left-click the task_sequence. In the pane on the correct, click on the Contents tab and go over on the supporting document folder, like Correspondence.
Left-click the document. In the new mid tab, choose the Properties tab.
Go down, left click the arrow next to the Associated Case home value, and also select Unset Value. Click Save.
In Administration Console for Content Platform Engine, right click the task_sequence (such as 000000100003), after which simply click Delete.
Simply click OK.
In order to eliminate the situation when folder, complete the next steps: In Administration Console for Content Platform Engine, navigate on the job sequence folder: Year > Month > Day > quantity > task_sequence. For instance, 2013 > seven > nineteen > 0166 > 000000100003.
Right-click task_sequence and then simply click Delete.
Simply click OK.

Get More Info

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 10 of 10

Re: Delete case from case management

Hi Robert.

is this for Qradar IBM ?

its' defiantly not for McAfee ESM.

anyway Thanks.

Best regards👍👍👍

David.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community