How to purge large amounts of event data from ePolicy Orchestrator using an SQL query
Last Modified: 2022-05-18 10:24:21 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
How to purge large amounts of event data from ePolicy Orchestrator using an SQL query
Technical Articles ID:
KB92098
Last Modified: 2022-05-18 10:24:21 Etc/GMT Environment
ePolicy Orchestrator (ePO) 5.10.x Microsoft SQL Server — all supported versions For details of ePO and SQL-supported environments, see KB51569 - Supported platforms for ePolicy Orchestrator. Summary
IMPORTANT: We recommend that you purge threat events with the built-in server task created for this purpose. Use this article only if the built-in tasks aren't sufficient. This article provides guidance on how to purge large volumes of threat event information from the ePO database. To accomplish this task, you must use the attached script ( You can use the attached SQL query to purge events. By default, it purges any event with a declare @BatchSize int = 4900 declare @BatchDelaySeconds int = 3 declare @DeleteTime int = -12 declare @PurgeWhereClause NVARCHAR(MAX) = 'DetectedUTC < DATEADD(MM, @DeleteTime, GETDATE())' Guidance on editing the above variables:
Example WHERE clauses:
Automating the script with an SQL Agent Job
Optionally, you can automate this script and have it run on a scheduled basis. Create an SQL Agent job on the SQL Server hosting the ePO database:
NOTE: You can change the options and log an event only if the job fails.
AttachmentAffected ProductsLanguages:This article is available in the following languages: |
|