NetWitness Community

socuser · ‎2021-03-30

Dear all,

I tried some modification in Mongodb's Incident Collections

for example

db.incident.update({'_id' : 'INC-1234'}, {$set: { "status" : "Closed"}});

updation successful !! value updated in Incident Collection checked via mongo shell.

But in RSA Netwitness in Respond Tab the value of incident is not updated , it throwing error for the modified Incident INC-1234

"Unable to load Incident Details"

Even I also restarted mongod, respond server, jetty services.

Whey this is happening i was able to modified mongodb incident collections why it is not reflecting on RSA Netwitness Respond tab,

any idea?

JoshRandall · ‎2021-03-30

Your $set command is correct for mongodb syntax, but its not correct for NetWitness to read the updated value properly.

You should just need to change "Closed" to "CLOSED" in order for Respond to validate the value properly.

That said....is there a reason you're updating incident status directly in Mongo? If you need to manage or change these programmatically, you can use the Respond API to update incident status.

Mr. Mongo

socuser · ‎2021-04-06

Dear Mongo,

Even I tried changing the Status from New to Assigned with valid Status value , Mongodb updated successful but RSA Netwitness Respondtab is not working properly for that changed incidents,

PFA of Valid Incident status values and incident fetching error in Netwitness respond tab

Still am wonder what went wrong?

JoshRandall · ‎2021-04-07

Those status options are only valid when updating an incident via the Respond API, not if updating an incident record directly in mongo. I recommend you avoid modifying mongo directly, and only use the API with those valid status options.

We have a number of API How-To videos on YouTube that I think you'll find helpful (https://www.youtube.com/playlist?list=PL69kuTXA1Iatq3MKjY3Ydw2J7GdMF8wKD), especially these two:

Mr. Mongo

NetWitness Community

Mongodb update field value