Clear Users Data Using a Playbook - Administrator Guide - 6.11 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide
Product
Cortex XSOAR
Version
6.11
Creation date
2022-12-12
Last date published
2024-04-15
Category
Administrator Guide
Abstract

After removing a user, create a playbook to replace the user with a different user in active incidents and incidents that are cleared.

After you remove a user from Cortex XSOAR, you also need to clear the data. You can decide which user can replace the deleted user. You can do this by running a command manually in the CLI or automate the process using a playbook or through server configurations.

If running a command in the CLI or in a playbook, you must set the builtin.commands.hidden.clearUsersData server configuration to true, otherwise the command cannot run.

Note

  • When clearing users data, only active incidents and incidents are cleared. Incidents that have been closed are not changed.

  • Any invitation created by a deleted user is removed. If the deleted user is the invitee, the invite remains in the Invites table.

Before you begin, ensure you remove the user, otherwise you may receive an error when running the playbook.

  1. Create a list of users you want to remove.

    1. Select SettingsADVANCEDListsAdd a List.

    2. Add a name for the list.

    3. In the Content Type field, select Text.

    4. Add the names of the users.

      If adding multiple names use separate lines for each name.

    5. Add the permission level.

      For example, for Read Only, you may want only read-only users to be able to see the list but for Read and edit, you may want both analyst and administrator to be able to edit.

    6. Save the list.

  2. Add the following server configurations by going to SettingsABOUTTroubleshootingAdd Server Configuration.

    Key

    Description

    builtin.commands.hidden.clearUsersData

    Set to false to run the clearUserData command in the CLI and playbook. Default is true.

    server.mask.git.commits

    Set to true to remove the users data from the git commit version that the user created (version control). For an example of version control in a playbook, see Version Control.

    Default is false.

  3. Create a playbook to remove the user's data.

    1. Select PlaybooksNew Playbook

    2. Add a name for the playbook and click Save.

    3. Create a Task.

    4. In the Automation field, select the clearUsersData (Builtin) automation.

    5. Add the following inputs.

      Argument

      Description

      listName

      Name of the list you created in step 1.

      username

      The name of the replacement user. Default is admin.

      listClear

      Set to true to delete the list after the data is cleared. Default is false.

    6. Save the task.

    7. (Optional) Run the debugger to test the playbook.

  4. Create a job to run the playbook.

    1. Select JobsNew Job.

      By default, the Time-triggered job is already selected.

    2. Select the time you want to run the job.

    3. Add the Time Triggered Job Parameters.

      You need to add the playbook created in step 3.

    4. Save the job.

      The next time the job is scheduled to run, the user's data is deleted.