IBM Security QRadar SOAR

 View Only
  • 1.  Retention period for incidents

    Posted Wed May 15, 2019 10:52 AM

    Hi, team!
    Please explain how to configure the retention period for incidents storage, or confirm that there is no option to configure retention and the period is depend of free space left dedicated to file system.

    How to monitor the availability of free space not to crash the system at some moment? is there any auto-notification that could be configured regarding free-space monitoring or it should be implemented manually?



    ------------------------------
    Serhii Kokhan
    ------------------------------


  • 2.  RE: Retention period for incidents

    Posted Thu May 16, 2019 05:32 AM
    Hi Serhii,

    Incidents are stored in the database and even when they are deleted they are still stored in the database but in different tables. Deleted incidents will not be shown in the UI.

    We do not provide tools to monitor resources on the server because customers have many different methods of monitoring, we cannot not cater for them all. Later versions of Resilient run on RedHat Enterprise Linux. If your preferred monitoring solution has agents that can be installed on RHEL then you can use them but that is the customer's responsibility to configure and support.

    In the optional packages that can be installed on ova deployments we have included net-snmp which customers can leverage. As above, we do not support configuration of SNMP.

    We also have a stand alone installer of Resilient that can be installed on your own licensed RHEL server. This provides some customers with greater flexibility with regards to monitoring solutions and installation of third party packages.

    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 3.  RE: Retention period for incidents

    Posted Thu May 16, 2019 05:46 AM
    Thanks for the information! So if I understand correctly, there is no way to get rid of ld incidents, and when system facing the lack of storage - the only way to escape the crash is to extend the storage?

    ------------------------------
    Serhii Kokhan
    ------------------------------



  • 4.  RE: Retention period for incidents

    Posted Thu May 16, 2019 05:57 AM
    Hi Serhii,

    Deletion of incidents are explained here. You see that attachments are deleted but much of the incident data is stored in other database tables so that you have a permanent history in case you need to refer to it. What problem are you seeing? Is it your attachments that are using up most of the disk space or the growth in the database? The database does not store attachments, these are stored on the operating system.

    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 5.  RE: Retention period for incidents

    Posted Thu May 16, 2019 06:18 AM
    We do not have issue yet, but we must be ready to any occasion. Also, we have question from auditor regarding the incident retention. 
    So, according to your last reply, I understand that:
    1. the only way to escape the system crash in case full storage is to extend the storage. We have to monitor status manually.
    2. we can delete incidents, but much of the incident data is stored in other database tables so that we have a permanent history in case you need to refer to it.  >> How to refer to it?

    ------------------------------
    Serhii Kokhan
    ------------------------------



  • 6.  RE: Retention period for incidents

    Posted Thu May 16, 2019 06:26 AM
    Historical data will be stored in "audit" tables which can only be accessed via sql queries.

    ------------------------------
    BEN WILLIAMS
    ------------------------------



  • 7.  RE: Retention period for incidents

    Posted Fri May 17, 2019 05:31 AM
    Hi Serhii,

    Please see Idea on this topic and vote for it if you wish to see us provide more OOTB functionality in this case
    Data Retention Policy - Incident Timer/Audit log | IBM Resilient Ideas

    ------------------------------
    MARTIN FEENEY
    IBM Resilient Product Manager
    IBM Security
    Galway
    ------------------------------