Preventing Orphaned Events

What is a one sentence summary of your feature request?

Prevent or discover and address Orphaned Events

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

On rare occasions, the events collected by Threat Prevention may lose their references to policies, event types or other keys/tables. This creates orphaned events.

Orphaned events are usually caused from a misconfiguration of database maintenance and can lead to further unexpected behavior such of the database maintenance window displaying an ‘oldest event’ value older/less than the oldest configured retention policy.

Database maintenance should be enhanced to prevent misconfiguration of record retention.

How do you currently solve the challenges you have by not having this feature?

Currently, orphaned events are typically discovered by Netwrix Technical Support and require investigation and unique remediation from the Engineering in order to remove these records.

Hi Brandon,

After discussing with the development team, we believe this is an interesting one where it shouldn’t happen under normal operation, and really only happens when database maintenance is interrupted.

The cost to scan the entire database for orphaned events is pretty high and could impact performance in a negative way. I’m not sure how often you experience this with the support team and customers, but quantifying that could help.

For now, we’re thinking this is not something we want to bake into the product and would encourage you to continue to reach out to development for support to handle these scenarios, as they are more than happy to assist when it does come up.