000034450 - How to manually disable Incident Management Aggregation Rules in Security Analytics

Document created by RSA Customer Support Employee on Nov 29, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034450
Applies ToRSA Product Set: NetWitness Logs and Packets, Security Analytics
RSA Product/Service Type: Incident Management
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
O/S Version: 6

 
IssueHow to manually disable an Aggregation Rule in SA Incident Management (IM) if you can't perform this through the SA UI.
 
Resolution1. Check where the IM database is hosted.
In Administration \ Services select the Incident Management service and select View \ Explore
Expand left hand pane to show Service \ Configuration \ database and examine the Host value which should correspond to an ESA appliance/VM.
2. SSH to ESA and attempt to log into the IM database
# mongo im -u im -p <password>

Example:
# mongo im -u im -p im

Note: Command assumes that im service password is default.
3. Display Aggregation Rules
> db.aggregation_rule.find()

4. Disable Rule in mongo DB
Assuming you wanted to disable this aggregation rule:
{ "_id" : ObjectId("5771d59df280f56c75348d27"), "_class" : "com.rsa.smc.im.domain.bean.AlertRule", "order" : 1, "enabled" : true, "deleted" : false, "name" : "Suspected Command & Control Communication By Domain", "description" : "This incident rule captures suspected communication with a Command & Control server and groups results by domain.", "ruleId" : "OOTB#1", "uiFilterConditions" : "{\"alertRuleFilterGroup\":{\"filterType\":\"FILTER_GROUP\",\"logicalOperator\":\"and\",\"filters\":[{\"alertRuleFilter\":{\"filterType\":\"FILTER\",\"property\":\"alert.source\",\"operator\":\"=\",\"value\":\"Event Stream Analysis\"}},{\"alertRuleFilter\":{\"filterType\":\"FILTER\",\"property\":\"alert.signature_id\",\"operator\":\"=\",\"value\":\"Suspected C&C\"}}]}}", "matchConditions" : "{\"$and\":[{\"alert.source\":\"Event Stream Analysis\"},{\"alert.signature_id\":\"Suspected C&C\"}]}", "advancedUiFilterConditions" : false, "groupByFields" : [  "alert.groupby_domain" ], "timeWindow" : "7d", "action" : "GROUP_INTO_INCIDENT", "incidentCreationOptions" : { "ruleTitle" : "Suspected C&C with ${groupByValue1}", "ruleSummary" : "Security Analytics detected communications with ${groupByValue1} that may be command and control malware.\n\n1. Evaluate if the domain is legitimate (online radio, news feed, partner, automated testing, etc.).\n2. Review the domain registration for suspect information (Registrant country, registrar, no registration data found, etc).\n3. If the domain is suspect, go to the Investigation module to locate other activity to or from it.", "assignee" : null, "categories" : [ ] }, "incidentScoringOptions" : { "type" : "high" }, "priorityScale" : { "HIGH" : "50", "MEDIUM" : "20", "LOW" : "1", "CRITICAL" : "90" }, "notificationOptions" : {  }, "alertsMatchedCount" : 0, "incidentsCreatedCount" : 0 }

Put the correct ObjectId in quotes below:
> db.aggregation_rule.update( { "_id" : ObjectId("5771d59df280f56c75348d27") }, { $set: { "enabled" : false } } )

5. Exit mongo db
> exit

Attachments

    Outcomes