Splunk SOAR (f.k.a. Phantom)

Can deleted events be restored?

CS_
Path Finder

I read in another thread that events are not really "deleted" as such, but that they are simply marked in a way that removes them from the search - however that may be just relating to SPLUNK.

So if you have a need to restore a deleted event + it's associated containers, actions, logs, etc, is there a way to do that in SOAR/Phantom

Labels (1)
0 Karma
1 Solution

CS_
Path Finder

Hey @phanTom 

Thanks for the response. Luckily there is no loss of important data, they were just test events we were sending from Splunk.

If there is no way to do it through the frontend, I'll mark it as a "cannot be done".

Best,

Chris

View solution in original post

0 Karma

phanTom
SplunkTrust
SplunkTrust

@CS_  it may be similar in that the database entry/entries may only be masked from the UI but you would need to go digging through postgres database to find all the relevant entries, if they still exist!

This is why the ability to delete is not allowed on any out of the box account (except admin) as it is not simple to recover from a deletion.

I would recommend a support call to verify this and for them to advise how, if at all, you might be able to retrieve the data. 

If you externalise your data to Splunk you might be able to "stitch" the data back together but it wouldn't be simple. 

0 Karma

CS_
Path Finder

Hey @phanTom 

Thanks for the response. Luckily there is no loss of important data, they were just test events we were sending from Splunk.

If there is no way to do it through the frontend, I'll mark it as a "cannot be done".

Best,

Chris

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...