Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Respond Config: Edit the Incident Rules Export ZIP File

Document created by RSA Information Design and Development Employee on Jan 30, 2020Last modified by RSA Information Design and Development Employee on Sep 2, 2020
Version 3Show Document
  • View in full screen mode
 

This procedure is optional and is for advanced users. When exporting incident rules from the Respond Incident Rules view, the exported incident rules file is a ZIP file in the format <random ID>-incident_rules_export.json.zip, which contains two mandatory JSON files:

  • aggregation_rule_schema.json contains the incident rule schema.
  • <random ID>-incident_rules_export.json contains the incident rules.

You can import this ZIP file on another NetWitness Server on the same release version.

There may be situations when you need to edit the these files before you import them to another NetWitness Server.

To edit the incident rules export files:

  1. Follow the Incident Rule Export Files Editing Guidelines below to edit the export files.
  2. Before importing, verify that the ZIP file does not contain additional files or folders. The ZIP file should contain only the mandatory aggregation_rule_schema.json and <random ID>-incident_rules_export.json files to go through the import. Any files other than these two cause the import to fail.
    For example, when compressing files on a Mac, it adds a temp folder __MACOSX that needs to be excluded while zipping the file.

Note: You cannot export Advanced rules.

Incident Rule Export Files Editing Guidelines

Ensure that the following fields have at least one value. Removing a value or having an empty value for the following fields results in abnormal behavior.

                                                   

Field

Possible Values
nameA-Z a-z 0-9 " !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
groupByFieldsA Minimum of 1 or a Maximum of 2 group_by keys should be present in aggregation_rule_schema.json.
timeWindow

A String value in the following accepted formats:

Days – Min:1d Max: 24d
Hours – Min: 1h Max: 100h
Minutes – Min: 1m Max :100m

action

Should be one of following values:

GROUP_INTO_INCIDENT
SUPPRESS_ALERT

incidentScoringOptionsShould be one of the following string values:
average: Average of Risk Score across all of the Alerts
high: Highest Risk Score available across all of the Alerts
count: Number of Alerts in the time window
priorityScaleCondition: LOW < MEDIUM < HIGH < CRITICAL

 

                         

Sub Fields

Possible Values
MEDIUM 1-100
CRITICAL 1-100
HIGH 1-100

LOW

1-100
uiFilterConditionsSample UI Conditions Filter Structure
                          
Sub Fields Possible Values
filterType

FILTER

FILTER_GROUP

Possible values for FILTER are listed below.

property value: fetched from aggregation_rule_schem.json
operator operators
value

type: dictates the data type.
Available options:

textfield: String

combobox : from a list of options available in the json

datefield: unix time stamp, for example: 2019-06-12T12:00:00Z

numberfield: Integer

incidentCreationOptionsruleSummary: String
categories: JSON
array assignee: JSON

You are here
Table of Contents > Additional Procedures for Respond Configuration > Edit the Incident Rules Export ZIP File

Attachments

    Outcomes