This procedure is optional and is for advanced users. When exporting incident rules from the Respond Incident Rules view, the exported incident rules file is a ZIP file in the format <random ID>-incident_rules_export.json.zip, which contains two mandatory JSON files:
- aggregation_rule_schema.json contains the incident rule schema.
- <random ID>-incident_rules_export.json contains the incident rules.
You can import this ZIP file on another NetWitness Server on the same release version.
There may be situations when you need to edit the these files before you import them to another NetWitness Server.
To edit the incident rules export files:
- Follow the Incident Rule Export Files Editing Guidelines below to edit the export files.
- Before importing, verify that the ZIP file does not contain additional files or folders. The ZIP file should contain only the mandatory aggregation_rule_schema.json and <random ID>-incident_rules_export.json files to go through the import. Any files other than these two cause the import to fail.
For example, when compressing files on a Mac, it adds a temp folder __MACOSX that needs to be excluded while zipping the file.
Incident Rule Export Files Editing Guidelines
Ensure that the following fields have at least one value. Removing a value or having an empty value for the following fields results in abnormal behavior.