|Applies To||RSA Product Set: NetWitness Logs & Packets, Security Analytics|
RSA Product/Service Type: Incident Management
RSA Version/Condition: 10.6.2.0
|Issue||Inconsistent behavior is seen when Incident Management aggregation rules are removed from the user interface. In some cases you will not see incidents created from aggregation rules.|
|Cause||It has been identified that although aggregation rules have been removed through the user interface they may still exist in the mongo im database. The inconsistency of aggregation rules not getting removed in mongo im has resulted in incidents not getting created.|
|Resolution||An engineering defect has been opened and is being worked to address this in a future release.|
You can export the aggregation rules in mongo im and compare the rules listed on the Incident Management(IM) user interface (On SA server Incidents > Configure > Aggregation Rules tab); then, remove the existing rules that do not exist or that need to be recreated from mongo im.
The command dumps the aggregation rule content in json format into the file /tmp/mongo_export_incident.json.
Where NAME_OF_RULE is the aggregation rule being removed.
To count the number of aggregation rules that exist in mongo im:
When you have removed all the extra aggregation rules that do not exist on the IM user interface; recreate the aggregation rule and export the /tmp/mongo/export_incident.json and compare.