000035498 - Are RSA Security Analytics Incident Management aggregation rules removed and does the aggregation rule work?

Document created by RSA Customer Support Employee on Oct 10, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035498
Applies ToRSA Product Set: NetWitness Logs & Packets, Security Analytics
RSA Product/Service Type: Incident Management
RSA Version/Condition:
IssueInconsistent behavior is seen when Incident Management aggregation rules are removed from the user interface. In some cases you will not see incidents created from aggregation rules. 
CauseIt has been identified that although aggregation rules have been removed through the user interface they may still exist in the mongo im database.  The inconsistency of aggregation rules not getting removed in mongo im has resulted in incidents not getting created. 
ResolutionAn engineering defect has been opened and is being worked to address this in a future release.

You can export the aggregation rules in mongo im and compare the rules listed on the Incident Management(IM) user interface (On SA server Incidents > Configure > Aggregation Rules tab); then, remove the existing rules that do not exist or that need to be recreated from mongo im.
SSH in to the Event Stream Analysis(ESA) device.
To export the aggregation_rules from mongo im:

mongoexport -d im -u im -p im -c aggregation_rule -o /tmp/mongo_export_incident.json

The command dumps the aggregation rule content in json format into the file /tmp/mongo_export_incident.json.
To remove the aggregation_rules from mongo im:

mongo im -u im -p im

Where NAME_OF_RULE is the aggregation rule being removed.

To count the number of aggregation rules that exist in mongo im:

mongo im -u im -p im

When you have removed all the extra aggregation rules that do not exist on the IM user interface; recreate the aggregation rule and export the /tmp/mongo/export_incident.json and compare.