- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2020 06:11 AM
Our Vulnerable Response Tables can get quite large.
We're looking for a way to improve system performance on these tables by keeping them trimmed down to only current or recent historical information.
I would like to create some archiving rules around these tables to clean them up once the data is no longer needed. For example - Detection Status is Closed for greater than 90 days. However, the reltaionships between these tables are extensive and there are many sub-relationships as well.
I am wondering if anyone has attempted to do this or if there is anything out of the box for this?
I am aware that there is the ability to close old detections/VITS but I am looking for a way to purge them - not just close them.
Thanks!
Solved! Go to Solution.
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2020 07:07 AM
Hey there - this is a great question.
A native feature for this was introduced recently, and is called "Vulnerability Response Auto-Delete Rules":
- https://docs.servicenow.com/bundle/paris-security-management/page/product/vulnerability-response/task/enable-auto-del-vi-vg.html
Aligning your stale Vulnerable Item records, to your Vulnerable Item records to be purged (deleted) over time is a good starting point:
1) Setup your "auto-close" or stale record feature, to first transition Vulnerable Items to a state of Closed / Stale when they are no longer reported as active
- This means that over time, you will have two flavors of Closed Vulnerable Items (Fixed / Stale)
2) Configure your "auto-delete" or purging rules - to gradually purge Vulnerable Item records that meet certain criteria (such as State = Closed, Closed At more than 1 year ago)
- This can target records Closed with any Reason / Substate, as long as it has been closed for over a year
----------------------
The "auto-delete" feature, makes use of the ServiceNow Table Cleaner functionality.
You raise a good observation, there are more than just Vulnerable Items in the equation.
- There are records that reference Vulnerable Items such as Detections, M2M records that link Vulnerable Items to Vulnerability Groups, etc. -> that also grow in volume over time and should be groomed too.
Part of the the Table Cleaner functionality, includes the ability to perform "Cascade deletes".
- When table cleaner runs periodically, it will purge records meeting your condition you specify and if you enable "Cascade delete" it will also purge records that reference the ones earmarked to be purged.
Would recommend creating a HI Support Ticket as you set this up, especially if you are working with a high volume of Vulnerable Item records in your production instance.
- You will want to ensure that you have the appropriate database indexes setup to support your "auto-delete" aka Table Cleaner rules - as these queries run often and may need to be tuned if we have a large data set
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2020 07:07 AM
Hey there - this is a great question.
A native feature for this was introduced recently, and is called "Vulnerability Response Auto-Delete Rules":
- https://docs.servicenow.com/bundle/paris-security-management/page/product/vulnerability-response/task/enable-auto-del-vi-vg.html
Aligning your stale Vulnerable Item records, to your Vulnerable Item records to be purged (deleted) over time is a good starting point:
1) Setup your "auto-close" or stale record feature, to first transition Vulnerable Items to a state of Closed / Stale when they are no longer reported as active
- This means that over time, you will have two flavors of Closed Vulnerable Items (Fixed / Stale)
2) Configure your "auto-delete" or purging rules - to gradually purge Vulnerable Item records that meet certain criteria (such as State = Closed, Closed At more than 1 year ago)
- This can target records Closed with any Reason / Substate, as long as it has been closed for over a year
----------------------
The "auto-delete" feature, makes use of the ServiceNow Table Cleaner functionality.
You raise a good observation, there are more than just Vulnerable Items in the equation.
- There are records that reference Vulnerable Items such as Detections, M2M records that link Vulnerable Items to Vulnerability Groups, etc. -> that also grow in volume over time and should be groomed too.
Part of the the Table Cleaner functionality, includes the ability to perform "Cascade deletes".
- When table cleaner runs periodically, it will purge records meeting your condition you specify and if you enable "Cascade delete" it will also purge records that reference the ones earmarked to be purged.
Would recommend creating a HI Support Ticket as you set this up, especially if you are working with a high volume of Vulnerable Item records in your production instance.
- You will want to ensure that you have the appropriate database indexes setup to support your "auto-delete" aka Table Cleaner rules - as these queries run often and may need to be tuned if we have a large data set
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2021 05:06 AM
hi,
do we know in which table auto-deleted VIT or VUL go into? I am checking sys_audit_delete and didnt see anyting there.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2021 08:10 AM
I have seen it going into sys_audit_delete. Search based on the document id and you should be able to retrieve it.
