Delete Incident Utilities

We need to delete ALL the Sentinel incidents but we do not have time to do it one by one via the Sentinel Control Center. We see the incidents in the window incidents view on the e-Security Sentinel Control Center.

Backing up incident data

To backup Incident data before running the delete incident utilities, run BackupIncidentData.sh for Oracle database or BackupIncidentData.bat for SQL Server.

delete_incidents_by_query

This stored procedure deletes incidents specified by a SQL query that returns a set of incident IDs.

To execute on SQL Server

Connect to the database via SQL Query Analyzer as ESECDBA
exec delete_incidents_by_query ‘’

To execute on Oracle

Connect to the database via SQL*Plus as ESECDBA

SQL> set serveroutput on size 100000

SQL> exec esec_incidents_pkg.delete_incidents_by_query(‘’);

delete_incidents_by_rule

This stored procedure deletes incidents created by a correlation rule.

To execute on SQL Server

Connect to the database via SQL Query Analyzer as ESECDBA
exec delete_incidents_by_rule ‘’

To execute on Oracle

Connect to the database via SQL*Plus as ESECDBA

SQL> set serveroutput on size 100000

SQL> exec esec_incidents_pkg.delete_incidents_by_rule(‘’);

delete_incidents_by_id

This stored procedure deletes an incident by incident ID.

To execute on SQL Server

Connect to the database via SQL Query Analyzer as ESECDBA
exec delete_incidents_by_id

To execute on Oracle

Connect to the database via SQL*Plus as ESECDBA

SQL> set serveroutput on size 100000

SQL> exec esec_incidents_pkg.delete_incidents_by_id();