7.3 Managing Alert Purge Utility
The ingestion of certain data can result in the creation of false matches, alerts, and activities. While correction and data re-ingestion is possible, the system does not remove these erroneously generated matches, alerts, and activities automatically.
There may also be cases when the alerts have been residing in the database due to the retention policies imposed by the regulatory bodies, or the internal policies of the respective organization.
The Alert Purge Utility enables you to identify and remove such matches, alerts, and activities selectively, based on a number of parameters (like the Behavior Detection Job ID, Behavior Detection Scenario ID, Behavior Detection Scenario Class, or a date range with optional alert status codes). Additional parameters enable you to simulate a purge run to determine all found matches, alerts, and activities using the input parameters. You can also limit the alerts in the purge process only to those that contain false matches.
The utility consists of a UNIX shell script, Java executables, a XML File and a configuration file in which you define the process parameters to use in the purge processing. The system directs output to a configurable log file; processing appends this log with information about subsequent executions of the scripts.
Directory Structure
Table 7-3 Alert Purge Utility Directory Structure
| Directory | Description |
|---|---|
| bin/ | Contains executable files, including the run_alert_purge.shshell script. |
| lib/ | Contains required class files in .jarformat. |
| mantas_cfg/ | Contains configuration files , such as install.cfgand categories.cfg, in which you can configure properties and logging attributes. |
| logs/ | Keeps the <OFSAAI Installed Directory>/database/db_tools/logs/purge.log file that the utility generates during execution. |
| data/ | Keeps .sqlfiles for execution. |
| .xml | Contains the Purge Rules Configuration File (PurgeRules.xml), which is used for configuring the Alert Purge rules. |
Logs
As the Alert Purge Utility performs alert detection activities, it generates a log
that it enters in the <OFSAAI Installed
Directory>/database/db_tools/logs/purge.log file (the logging process
time-stamps all entries). The log file contains relevant information such as status
of the purge processing, log-relevant information, and error records.
You can modify the current logging configuration for the Alert Purge Utility in the
<OFSAAI Installed Directory>/database/db_tools/log4j2.xml
files. For more information about logging in these configuration files, refer to
Managing Common Resources for Batch Processing Utilities and APPENDIX A - Logging.
Precautions
You use the utility to rid the system of falsely-generated matches and alerts. Other
than recorded information in the <OFSAAI Installed
Directory>/database/db_tools/logs/purge.log file, the system does not
capture audit information for this process. The utility does not update other
alerts’ prior counts as a result of purging alerts.
Note:
- The utility also purges any alert or case which is used to trigger Auto Suppression or establish Trusted Parties. However, this would not affect the Suppression Rule or the Trusted Pair except that the kdd_auto_suppr_alert.trgr_alert_id,kdd_trus ted_pair.trgr_alert_id,or kdd_trusted_pair.trgr_case_id columns are set to a null value.
- Run the Alert Purge Utility one process at a time. Multiple, simultaneous executions of the utility may lead to unexpected results and compromise the relational integrity of match, alert, and action data. When no users are editing or viewing any of the alerts, actions, or associated information (including matches derived from the alerts and actions specified, alerts derived from the specified actions, and actions derived from the specified alerts). However, you can run the utility during editing or viewing of other alerts and related information. You can also run the utility during alert post-processing, subject to time constraints.
- The recommended numbers of alerts that can be purged in a batch is 10,000 alerts. This may take a few hours to complete. As this is not a daily activity, Oracle clients should plan this accordingly.