NetWitness Community

KranthiKanapala · ‎2020-12-15

Hello,

Is there any way to pull the total alert count by the alert wise in ESA from mondoD (Backend). (ver.11.3)

Please share any ideas.

Regards

Kranthi

Regards
Kunal Galani

ThomasFedorchuk · ‎2020-12-15

Hello,

You can use the following command to query the MongoDB to return the number of alerts per rule. You will need to substitute your "deploy_admin" password (-p netwitness) in the command. This command should be run from a SSH session to your ESA server.

[root]# echo 'db.alert.aggregate([{$group: { _id: "$alert.name", count:{ $sum: 1 }}}, {$sort: {count: -1} }])' | mongo respond-server -u deploy_admin -p netwitness --authenticationDatabase admin

Sample Output:

MongoDB shell version v4.0.13
connecting to: mongodb://127.0.0.1:27017/respond-server?authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("1be7d8f6-073d-42e5-832f-78bafe2a012a") }
MongoDB server version: 4.0.13
{ "_id" : "Loud Script", "count" : 747449 }
{ "_id" : "Wildcard Test", "count" : 522913 }
{ "_id" : "Testing LIST Logic", "count" : 19061 }
{ "_id" : "File Path Not Part Of RPM In Important System Directory", "count" : 4228 }
{ "_id" : "When a Device Stops Sending Logs categorized by Hostname", "count" : 459 }
{ "_id" : "Failed Logins Outside Business Hours", "count" : 167 }
{ "_id" : "Services Runs Command Shell", "count" : 13 }
{ "_id" : "high_number_of_successful_authentications", "count" : 3 }
{ "_id" : "user_account_enabled", "count" : 3 }
{ "_id" : "user_password_reset", "count" : 3 }
{ "_id" : "Case 01537217 - Account Created and Deleted Within One Hour", "count" : 3 }
{ "_id" : "OS Process Runs Command Shell", "count" : 2 }
{ "_id" : "Test Incident 2", "count" : 1 }
{ "_id" : "Test Incident", "count" : 1 }
{ "_id" : "high_number_of_failed_authentications", "count" : 1 }
bye

View solution in original post

ThomasFedorchuk · ‎2020-12-15

Hello,

You can use the following command to query the MongoDB to return the number of alerts per rule. You will need to substitute your "deploy_admin" password (-p netwitness) in the command. This command should be run from a SSH session to your ESA server.

[root]# echo 'db.alert.aggregate([{$group: { _id: "$alert.name", count:{ $sum: 1 }}}, {$sort: {count: -1} }])' | mongo respond-server -u deploy_admin -p netwitness --authenticationDatabase admin

Sample Output:

MongoDB shell version v4.0.13
connecting to: mongodb://127.0.0.1:27017/respond-server?authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("1be7d8f6-073d-42e5-832f-78bafe2a012a") }
MongoDB server version: 4.0.13
{ "_id" : "Loud Script", "count" : 747449 }
{ "_id" : "Wildcard Test", "count" : 522913 }
{ "_id" : "Testing LIST Logic", "count" : 19061 }
{ "_id" : "File Path Not Part Of RPM In Important System Directory", "count" : 4228 }
{ "_id" : "When a Device Stops Sending Logs categorized by Hostname", "count" : 459 }
{ "_id" : "Failed Logins Outside Business Hours", "count" : 167 }
{ "_id" : "Services Runs Command Shell", "count" : 13 }
{ "_id" : "high_number_of_successful_authentications", "count" : 3 }
{ "_id" : "user_account_enabled", "count" : 3 }
{ "_id" : "user_password_reset", "count" : 3 }
{ "_id" : "Case 01537217 - Account Created and Deleted Within One Hour", "count" : 3 }
{ "_id" : "OS Process Runs Command Shell", "count" : 2 }
{ "_id" : "Test Incident 2", "count" : 1 }
{ "_id" : "Test Incident", "count" : 1 }
{ "_id" : "high_number_of_failed_authentications", "count" : 1 }
bye

KranthiKanapala · ‎2020-12-15

Hello Thomas,

Thank you so much for your time for responding to my query.

Is there any way to put from/to date condition in the above condition.

Please suggest me.

Regards
Kunal Galani

ThomasFedorchuk · ‎2020-12-16

This command will do what you are looking for... again please substitute your deploy_admin password for the "-p netwitness" option

[root]# echo 'db.alert.aggregate([{$match: {receivedTime : {$gte : ISODate("2020-01-26T18:22:55.587Z"), $lt : ISODate("2020-04-30T19:28:06.705Z") }}},{$group: {_id : "$alert.name", count:{ $sum: 1 }}}, {$sort: {count: -1} }])' | mongo respond-server -u deploy_admin -p netwitness --authenticationDatabase admin

KranthiKanapala · ‎2020-12-17

Thank you for your help,

There are many number of alerts triggered in the time period which I was mentioned. but It is giving only for few alerts not all the alerts.

here is the sample

{ "_id" : "A New Process Created", "count" : 354 }
{ "_id" : "Alerts on Windows Firewall Services status change", "count" : 225 }
Type "it" for more
bye
[root@XXXXX~]#

Could you please help me.

Regards
Kunal Galani

ThomasFedorchuk · ‎2020-12-17

By adding the ".toArray()" function to the command the output results will not ask for iteration "Type "it" for more".

[root]# echo 'db.alert.aggregate([{$match: {receivedTime : {$gte : ISODate("2020-01-26T18:22:55.587Z"), $lt : ISODate("2020-04-30T19:28:06.705Z") }}},{$group: {_id : "$alert.name", count:{ $sum: 1 }}}, {$sort: {count: -1} }]).toArray()' | mongo respond-server -u deploy_admin -p netwitness --authenticationDatabase admin

KranthiKanapala · ‎2020-12-18

Thank you so much for your help, It is working great.

Regards
Kunal Galani

NetWitness Community

Alert wise total count from MongoDB