Whether you mistakenly defined the rule and it opened up a lot of cases, or a large number of cases were accumulated over time, deleting them was simply impossible.
The solution that appeared in the forums was to delete the cases as a resource directly from the database, but this form of deletion deletes the resource itself without removing the links to other resources.
We, CyberSIEM, developed a tool that will delete the cases with the ArcSight API the right way, without hurting the job.
How to use:
- Import “CyberSIEM_Delete_Cases Vxxx.arb” package to ArcSight console.
- Customize the “Cases to Delete” conditions to the cases that you want to delete by group, time, or whatever you want. You can check the query before running the Query Viewer “Cases to Delete”.
- Run “ArcSight-DeleteCases.exe”, and enter the ESM address, port, username, and password. It will start deleting cases from the Query Viewer.
Anyway, DO NOT delete directly from the database.
Link to download:
You can find all related ArcSight Resources under Delete Cases Use Case Page:
For questions, premium version, and more products, please email us at [email protected]