NetWitness 11.1: ESA Rule Export via Console or ESA Tool usage
I found a knowledge base article that describes how to export all ESA Rules as .csv from the mongo db. This only seems to work with versions 10.5.x and 10.6.x. I also found another article that describes the usage of the esa tool, but this is also only for version 10.x. Is the esa tool also available for version 11 or is there another way to export all esa rules as .csv via the command line? I guess a ESA Tool version for version 11 would be the best way for my problem, because my problem is already described in the esa tool guide under topic "5 - After reimaging SA SERVER NO RULES in the UI".
- Community Thread
- ESA Rules
- Forum Thread
- netwitness 11
- RSA NetWitness
- RSA NetWitness Platform
That KB article has not been updated to reflect the authentication necessary for version 11.x.
Also the ESATool utility is only for 10.x and has not been kept up to date for version 11.x. There is no ETA on when/if that will happen.
As for exporting your rules from the 11.x mongo DB please use a command similar to the following. Run the command from an SSH session on your SA Server appliance. You will need to substitute your deploy_admin password in the example below (the command should be all on one line).
# mongoexport -u deploy_admin -p <xxxxxxxxxxx> --authenticationDatabase admin --type=csv -d sa -c rule -o rules.csv -f _id,class,statements,conditions,outputActions,enrichments,type,severityId,templateId,name,description,enabled,createdBy,dateCreated,modifiedBy,dateModified