Description

This article describes how to quickly delete incidents from FortiSIEM by dropping child tables from FortiSIEM that include the target incident.

This article only describes how to drop child tables from FortiSIEM to avoid the risk of orphaned entries.

This requires some basic understanding of database management. Do not perform this task without familiarity with database management.

If the tables are dropped incorrectly, the risk of orphaned database entries is high.

Scope

FortiSIEM v4.3+.

Solution

1. SSH into the supervisor as root
2. Run the following:

psql -U phoenix -d phoenixdb

   3. Run the following:

\dt

   4. Identify incidents within the DB list:

Example:

public | ph_incident_detail_y2019m10  | table | phoenix

public | ph_incident_detail_y2019m9   | table | phoenix

public | ph_incident_risk_score       | table | postgres

public | ph_incident_story            | table | phoenix

public | ph_incident_story_y2019m10   | table | phoenix

public | ph_incident_story_y2019m9    | table | phoenix

  5. Run the following:

drop table ph_incident_yXXXXmXX;drop table ph_incident_detail_yXXXXmXX;

Example 1:

Dropping tables for November 2019:

drop table ph_incident_y2019m11;drop table ph_incident_detail_y2019m11;

Example 2:

Dropping tables for March 2020:

drop table ph_incident_y2020m3;drop table ph_incident_detail_y2020m3;

  6. Run '\q'.

  7. Run 'exit'.

 This will drop the connection from PostgreSQL as well as SSH.