This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
Enter a search word
    Turn off suggestions
    Enter a search word
      Turn off suggestions
      Enter a user name or rank
        Turn off suggestions
        Enter a search word
          Turn off suggestions
          Enter a search word
            Turn off suggestions
            cancel
            Turn on suggestions
            Showing results for 
            Search instead for 
            Did you mean: 
            NetWitness Discussions
            • NetWitness Community
            • Discussions
            • Re: Alert wise total count from MongoDB
            • Options
              • Subscribe to RSS Feed
              • Mark Topic as New
              • Mark Topic as Read
              • Float this Topic for Current User
              • Bookmark
              • Subscribe
              • Mute
              • Printer Friendly Page

            Alert wise total count from MongoDB

            Go to solution
            KranthiKanapala
            KranthiKanapala New Contributor
            New Contributor
            Options
            • Mark as New
            • Bookmark
            • Subscribe
            • Mute
            • Subscribe to RSS Feed
            • Permalink
            • Print
            • Report Inappropriate Content

            ‎2020-12-15 01:37 AM

            Hello,

             

            Is there any way to pull the total alert count by the alert wise in ESA from mondoD (Backend). (ver.11.3)

             

            Please share any ideas.

             

            Regards

            Kranthi

            Regards
            Kunal Galani
            • Community Thread
            • Discussion
            • Forum Thread
            • mongodb
            • NetWitness
            • netwitness 11.3
            • NW
            • NWP
            • respond-server
            • RSA NetWitness
            • RSA NetWitness Platform
            0 Likes
            Reply
            • All forum topics
            • Previous Topic
            • Next Topic
            1 ACCEPTED SOLUTION

            Accepted Solutions

            Go to solution
            ThomasFedorchuk
            Occasional Contributor ThomasFedorchuk Occasional Contributor
            Occasional Contributor
            Options
            • Mark as New
            • Bookmark
            • Subscribe
            • Mute
            • Subscribe to RSS Feed
            • Permalink
            • Print
            • Report Inappropriate Content

            ‎2020-12-15 09:23 AM

            Hello,

            You can use the following command to query the MongoDB to return the number of alerts per rule. You will need to substitute your "deploy_admin" password (-p netwitness) in the command. This command should be run from a SSH session to your ESA server.

             

            [root]# echo 'db.alert.aggregate([{$group: { _id: "$alert.name", count:{ $sum: 1 }}}, {$sort: {count: -1} }])' | mongo respond-server -u deploy_admin -p netwitness --authenticationDatabase admin

             

             

            Sample Output:

            MongoDB shell version v4.0.13
            connecting to: mongodb://127.0.0.1:27017/respond-server?authSource=admin&gssapiServiceName=mongodb
            Implicit session: session { "id" : UUID("1be7d8f6-073d-42e5-832f-78bafe2a012a") }
            MongoDB server version: 4.0.13
            { "_id" : "Loud Script", "count" : 747449 }
            { "_id" : "Wildcard Test", "count" : 522913 }
            { "_id" : "Testing LIST Logic", "count" : 19061 }
            { "_id" : "File Path Not Part Of RPM In Important System Directory", "count" : 4228 }
            { "_id" : "When a Device Stops Sending Logs categorized by Hostname", "count" : 459 }
            { "_id" : "Failed Logins Outside Business Hours", "count" : 167 }
            { "_id" : "Services Runs Command Shell", "count" : 13 }
            { "_id" : "high_number_of_successful_authentications", "count" : 3 }
            { "_id" : "user_account_enabled", "count" : 3 }
            { "_id" : "user_password_reset", "count" : 3 }
            { "_id" : "Case 01537217 - Account Created and Deleted Within One Hour", "count" : 3 }
            { "_id" : "OS Process Runs Command Shell", "count" : 2 }
            { "_id" : "Test Incident 2", "count" : 1 }
            { "_id" : "Test Incident", "count" : 1 }
            { "_id" : "high_number_of_failed_authentications", "count" : 1 }
            bye

            View solution in original post

            0 Likes
            Reply
            6 REPLIES 6

            Go to solution
            ThomasFedorchuk
            Occasional Contributor ThomasFedorchuk Occasional Contributor
            Occasional Contributor
            Options
            • Mark as New
            • Bookmark
            • Subscribe
            • Mute
            • Subscribe to RSS Feed
            • Permalink
            • Print
            • Report Inappropriate Content

            ‎2020-12-15 09:23 AM

            Hello,

            You can use the following command to query the MongoDB to return the number of alerts per rule. You will need to substitute your "deploy_admin" password (-p netwitness) in the command. This command should be run from a SSH session to your ESA server.

             

            [root]# echo 'db.alert.aggregate([{$group: { _id: "$alert.name", count:{ $sum: 1 }}}, {$sort: {count: -1} }])' | mongo respond-server -u deploy_admin -p netwitness --authenticationDatabase admin

             

             

            Sample Output:

            MongoDB shell version v4.0.13
            connecting to: mongodb://127.0.0.1:27017/respond-server?authSource=admin&gssapiServiceName=mongodb
            Implicit session: session { "id" : UUID("1be7d8f6-073d-42e5-832f-78bafe2a012a") }
            MongoDB server version: 4.0.13
            { "_id" : "Loud Script", "count" : 747449 }
            { "_id" : "Wildcard Test", "count" : 522913 }
            { "_id" : "Testing LIST Logic", "count" : 19061 }
            { "_id" : "File Path Not Part Of RPM In Important System Directory", "count" : 4228 }
            { "_id" : "When a Device Stops Sending Logs categorized by Hostname", "count" : 459 }
            { "_id" : "Failed Logins Outside Business Hours", "count" : 167 }
            { "_id" : "Services Runs Command Shell", "count" : 13 }
            { "_id" : "high_number_of_successful_authentications", "count" : 3 }
            { "_id" : "user_account_enabled", "count" : 3 }
            { "_id" : "user_password_reset", "count" : 3 }
            { "_id" : "Case 01537217 - Account Created and Deleted Within One Hour", "count" : 3 }
            { "_id" : "OS Process Runs Command Shell", "count" : 2 }
            { "_id" : "Test Incident 2", "count" : 1 }
            { "_id" : "Test Incident", "count" : 1 }
            { "_id" : "high_number_of_failed_authentications", "count" : 1 }
            bye

            0 Likes
            Reply

            Go to solution
            KranthiKanapala
            KranthiKanapala New Contributor
            New Contributor
            Options
            • Mark as New
            • Bookmark
            • Subscribe
            • Mute
            • Subscribe to RSS Feed
            • Permalink
            • Print
            • Report Inappropriate Content

            ‎2020-12-15 10:20 PM

            Hello Thomas,

             

            Thank you so much for your time for responding to my query.

             

            Is there any way to put from/to date condition in the above condition. 

             

            Please suggest me.

            Regards
            Kunal Galani
            0 Likes
            Reply

            Go to solution
            ThomasFedorchuk
            Occasional Contributor ThomasFedorchuk Occasional Contributor
            Occasional Contributor
            In response to KranthiKanapala
            Options
            • Mark as New
            • Bookmark
            • Subscribe
            • Mute
            • Subscribe to RSS Feed
            • Permalink
            • Print
            • Report Inappropriate Content

            ‎2020-12-16 08:51 AM

            This command will do what you are looking for... again please substitute your deploy_admin password for the "-p netwitness" option 


            [root]# echo 'db.alert.aggregate([{$match: {receivedTime : {$gte : ISODate("2020-01-26T18:22:55.587Z"), $lt : ISODate("2020-04-30T19:28:06.705Z") }}},{$group: {_id : "$alert.name", count:{ $sum: 1 }}}, {$sort: {count: -1} }])' | mongo respond-server -u deploy_admin -p netwitness --authenticationDatabase admin

            0 Likes
            Reply

            Go to solution
            KranthiKanapala
            KranthiKanapala New Contributor
            New Contributor
            In response to ThomasFedorchuk
            Options
            • Mark as New
            • Bookmark
            • Subscribe
            • Mute
            • Subscribe to RSS Feed
            • Permalink
            • Print
            • Report Inappropriate Content

            ‎2020-12-17 12:04 AM

            Thank you for your help,

             

            There are many number of alerts triggered in the time period which I was mentioned. but It is giving only for few alerts not all the alerts. 

             

            here is the sample

            { "_id" : "A New Process Created", "count" : 354 }
            { "_id" : "Alerts on Windows Firewall Services status change", "count" : 225 }
            Type "it" for more
            bye
            [root@XXXXX~]#

             

            Could you please help me.

            Regards
            Kunal Galani
            0 Likes
            Reply

            Go to solution
            ThomasFedorchuk
            Occasional Contributor ThomasFedorchuk Occasional Contributor
            Occasional Contributor
            In response to KranthiKanapala
            Options
            • Mark as New
            • Bookmark
            • Subscribe
            • Mute
            • Subscribe to RSS Feed
            • Permalink
            • Print
            • Report Inappropriate Content

            ‎2020-12-17 08:41 AM

            By adding the ".toArray()" function to the command the output results will not ask for iteration "Type "it" for more".

             

            [root]# echo 'db.alert.aggregate([{$match: {receivedTime : {$gte : ISODate("2020-01-26T18:22:55.587Z"), $lt : ISODate("2020-04-30T19:28:06.705Z") }}},{$group: {_id : "$alert.name", count:{ $sum: 1 }}}, {$sort: {count: -1} }]).toArray()' | mongo respond-server -u deploy_admin -p netwitness --authenticationDatabase admin

            1 Like
            Reply

            Go to solution
            KranthiKanapala
            KranthiKanapala New Contributor
            New Contributor
            In response to ThomasFedorchuk
            Options
            • Mark as New
            • Bookmark
            • Subscribe
            • Mute
            • Subscribe to RSS Feed
            • Permalink
            • Print
            • Report Inappropriate Content

            ‎2020-12-18 02:47 AM

            Thank you so much for your help, It is working great.

            Regards
            Kunal Galani
            0 Likes
            Reply
            li.common.scroll-to.top
            Powered by Khoros
            • Blog
            • Events
            • Discussions
            • Idea Exchange
            • Knowledge Base
            • Case Portal
            • Community Support
            • Product Life Cycle
            • Support Information
            • About the Community
            • Terms & Conditions
            • Privacy Statement
            • Acceptable Use Policy
            • Employee Login
            © 2022 RSA Security LLC or its affiliates. All rights reserved.
            Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.