Delete incoming feed content and configuration#
Actions performed here are irriversible.
Use Delete feed content only to remove from the platform any packages, as well as any entities and observables, ingested through the feed.
Use Delete feed content and configuration to completely remove any ingested data through the feed, as well as the feed configuration.
Delete feed content only#
Delete removes all the data downloaded and ingested by a given incoming feed, but retains the feed configuration.
To delete feed content only from an incoming feed:
Delete feed content and configuration#
Delete feed content and configuration removes all the data downloaded and ingested by a given incoming feed, and removes the feed configuration.
This causes cascading effects on data in EclecticIQ Intelligence Center.
To delete content and configuration for an incoming feed:
When an incoming feed configuration and their ingested entities is deleted, EclecticIQ Intelligence Center data sources map is changed.
This can cause effects listed in this section.
When a Delete feed content and configuration is performed on an incoming feed, it also updates entities that are not originally ingested from that incoming feed, but have it as a data source, producing the following results:
The incoming feed is removed from the entity’s data sources.
Last updated at for the entity is updated.
Data sources are stored in the following entity fields:
For indicator entities, the Producer field
For all other entities, the Information source field.
An entity can have more than one data source. If the entity already exists when an incoming feed attempts to ingest an identical entity, it instead updates the existing entity by adding that incoming feed as a data source.
Database and search reindex#
Because a Delete or Delete feed content and configuration can remove certain entities and update others, it triggers a reindex on the database and search indices.
Trigger rule runs#
Rules are re-run on entities that have been updated by Delete feed content and configuration.
Removed from rules and data policies#
Incoming feeds can be set as Sources in the following:
Enrichment rules: Filters > Source
Data policies: Scope > Sources
When Delete feed content and configuration is performed on an incoming feed, it is also removed from the Source/s field in all rules and data policies.
The rule or data policy itself is also removed when:
the rule or data policy has only one Criteria or Filter, and
the Source specified is an incoming feed,
When Delete feed content and configuration is performed on an incoming feed, it is removed from all Group permissions that have it set as one of its Allowed sources.
Outgoing feed source metadata#
You can set incoming feeds as additional data sources in an outgoing feed in its Include source metadata field.
When an incoming feed configuration is removed, it is also removed from outgoing feeds that include it in their Include source metadata field.
This does not affect data already packed by the outgoing feed. Only new data packed by subsequently running the outgoing feed will reflect this (depending on the update strategy selected).
Monitor the progress of a delete job:
In the System jobs view, locate the eiq.utilities.delete_incoming_feed job whose progress you want to inspect.
Select to inspect it.
A delete job can have the following states:
A user aborted the process before it could complete.
The notification message includes the user name of the user who revoked the process.
An unexpected error caused the process to abort and fail before it could complete.
The notification message includes basic information about the step that failed. Inspect relevant logs to begin troubleshooting.
Delete using command line#
You can delete an incoming feed
eiq-platform CLI tool.
See eiq-platform command line.