2020-12-15 01:37 AM
Hello,
Is there any way to pull the total alert count by the alert wise in ESA from mondoD (Backend). (ver.11.3)
Please share any ideas.
Regards
Kranthi
2020-12-15 09:23 AM
Hello,
You can use the following command to query the MongoDB to return the number of alerts per rule. You will need to substitute your "deploy_admin" password (-p netwitness) in the command. This command should be run from a SSH session to your ESA server.
[root]# echo 'db.alert.aggregate([{$group: { _id: "$alert.name", count:{ $sum: 1 }}}, {$sort: {count: -1} }])' | mongo respond-server -u deploy_admin -p netwitness --authenticationDatabase admin
Sample Output:
MongoDB shell version v4.0.13
connecting to: mongodb://127.0.0.1:27017/respond-server?authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("1be7d8f6-073d-42e5-832f-78bafe2a012a") }
MongoDB server version: 4.0.13
{ "_id" : "Loud Script", "count" : 747449 }
{ "_id" : "Wildcard Test", "count" : 522913 }
{ "_id" : "Testing LIST Logic", "count" : 19061 }
{ "_id" : "File Path Not Part Of RPM In Important System Directory", "count" : 4228 }
{ "_id" : "When a Device Stops Sending Logs categorized by Hostname", "count" : 459 }
{ "_id" : "Failed Logins Outside Business Hours", "count" : 167 }
{ "_id" : "Services Runs Command Shell", "count" : 13 }
{ "_id" : "high_number_of_successful_authentications", "count" : 3 }
{ "_id" : "user_account_enabled", "count" : 3 }
{ "_id" : "user_password_reset", "count" : 3 }
{ "_id" : "Case 01537217 - Account Created and Deleted Within One Hour", "count" : 3 }
{ "_id" : "OS Process Runs Command Shell", "count" : 2 }
{ "_id" : "Test Incident 2", "count" : 1 }
{ "_id" : "Test Incident", "count" : 1 }
{ "_id" : "high_number_of_failed_authentications", "count" : 1 }
bye
2020-12-15 09:23 AM
Hello,
You can use the following command to query the MongoDB to return the number of alerts per rule. You will need to substitute your "deploy_admin" password (-p netwitness) in the command. This command should be run from a SSH session to your ESA server.
[root]# echo 'db.alert.aggregate([{$group: { _id: "$alert.name", count:{ $sum: 1 }}}, {$sort: {count: -1} }])' | mongo respond-server -u deploy_admin -p netwitness --authenticationDatabase admin
Sample Output:
MongoDB shell version v4.0.13
connecting to: mongodb://127.0.0.1:27017/respond-server?authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("1be7d8f6-073d-42e5-832f-78bafe2a012a") }
MongoDB server version: 4.0.13
{ "_id" : "Loud Script", "count" : 747449 }
{ "_id" : "Wildcard Test", "count" : 522913 }
{ "_id" : "Testing LIST Logic", "count" : 19061 }
{ "_id" : "File Path Not Part Of RPM In Important System Directory", "count" : 4228 }
{ "_id" : "When a Device Stops Sending Logs categorized by Hostname", "count" : 459 }
{ "_id" : "Failed Logins Outside Business Hours", "count" : 167 }
{ "_id" : "Services Runs Command Shell", "count" : 13 }
{ "_id" : "high_number_of_successful_authentications", "count" : 3 }
{ "_id" : "user_account_enabled", "count" : 3 }
{ "_id" : "user_password_reset", "count" : 3 }
{ "_id" : "Case 01537217 - Account Created and Deleted Within One Hour", "count" : 3 }
{ "_id" : "OS Process Runs Command Shell", "count" : 2 }
{ "_id" : "Test Incident 2", "count" : 1 }
{ "_id" : "Test Incident", "count" : 1 }
{ "_id" : "high_number_of_failed_authentications", "count" : 1 }
bye
2020-12-15 10:20 PM
Hello Thomas,
Thank you so much for your time for responding to my query.
Is there any way to put from/to date condition in the above condition.
Please suggest me.
2020-12-16 08:51 AM
This command will do what you are looking for... again please substitute your deploy_admin password for the "-p netwitness" option
[root]# echo 'db.alert.aggregate([{$match: {receivedTime : {$gte : ISODate("2020-01-26T18:22:55.587Z"), $lt : ISODate("2020-04-30T19:28:06.705Z") }}},{$group: {_id : "$alert.name", count:{ $sum: 1 }}}, {$sort: {count: -1} }])' | mongo respond-server -u deploy_admin -p netwitness --authenticationDatabase admin
2020-12-17 12:04 AM
Thank you for your help,
There are many number of alerts triggered in the time period which I was mentioned. but It is giving only for few alerts not all the alerts.
here is the sample
{ "_id" : "A New Process Created", "count" : 354 }
{ "_id" : "Alerts on Windows Firewall Services status change", "count" : 225 }
Type "it" for more
bye
[root@XXXXX~]#
Could you please help me.
2020-12-17 08:41 AM
By adding the ".toArray()" function to the command the output results will not ask for iteration "Type "it" for more".
[root]# echo 'db.alert.aggregate([{$match: {receivedTime : {$gte : ISODate("2020-01-26T18:22:55.587Z"), $lt : ISODate("2020-04-30T19:28:06.705Z") }}},{$group: {_id : "$alert.name", count:{ $sum: 1 }}}, {$sort: {count: -1} }]).toArray()' | mongo respond-server -u deploy_admin -p netwitness --authenticationDatabase admin
2020-12-18 02:47 AM
Thank you so much for your help, It is working great.