Bulk Close/Cancel SecOps DLP Incidents

Tom Buchanan · ‎08-12-2024

I have situation where an individual has triggered more than 70K+ SecOps DLP Incidents. The current functionality of SecOps only allows me to cancel or close 100 incidents at a time (e.g. 500 pages) to cancel 50k incidents. Is there a current out of the box solution or another solution someone has discovered to bulk cancel/close incidents. *Note I do not have the SecOps DLP Admin role. Even with that role, I don't believe the functionality exists. The "select all" option exists but only 100 incidents/alerts will be closed.

Is ServiceNow planning an enhancement to the SecOps DLP product?

Dexter Parre_o · ‎08-15-2024

Hi @Tom Buchanan. Was the incident consolidation functionality used to consolidate the incidents? If yes, depending on the consolidation rules configured, it would just be a matter of closing the parent incidents. If not, I don't think there is a quicker way to close all those DLP incidents triggered for just one user unless you run a fix script in prod although we would want to stay away from that.

Tom Buchanan · ‎09-04-2024

Thanks Dexter. The consolidation functionality is currently not being used.