NetWitness Community

Hi Devaraj,

You need to query correlation-server mongo DB that is located in NW Server. The 2 collections named engineSettingsEntity and moduleSettingsEntity contain all what you need.

Select deployements and all attached rules:

db.getCollection('engineSettingsEntity').find({ displayName: { $ne: "" } },{"displayName":1,"moduleIds":1,"_id":0} );

Select all rules:

db.getCollection('moduleSettingsEntity').find({ displayName: { $ne: "" } },{"displayName":1,"_id":1} );

In my example:

5e970391e4b0cd45a7f6d2c618-5e999e18e4b0f1d1908e199c

5e970391e4b0cd45a7f6d2c618 : deployement ID

5e999e18e4b0f1d1908e199c : Rule ID

[TEST] Windows detection : display name of the rule

Please let me know if you need any further information.

Hi Devaraj,

If you don't have Robomongo installed you can run this script from an SSH session on your SA server.

Also since the "rules" and "deployment" information are stored in different Mongo documents you can't export the information you're looking from one single collection. 

1) First create the file /root/get_rules_by_deployment.sh

# vi get_rules_by_deployment.sh

2) ADD the following code to the file and save the file   (you will need to substitute your deploy_admin password for the default "-p netwitness")  in the commands below...

#!/bin/bash
IFS=$'\n'
for i in `echo 'db.latestSyncSnapshot.find().toArray()' | mongo sa -u deploy_admin -p netwitness --authenticationDatabase admin | grep "\"name\"" | awk -F':' '{print $2}' | awk -F'"' '{print $2}'`
do
echo "Deployment Name \"$i\" contains the following rule IDs with Friendly Name"
for j in `echo 'db.latestSyncSnapshot.find({"name" : "'"$i"'"}).toArray()' | mongo sa -u deploy_admin -p netwitness --authenticationDatabase admin | grep "\"ruleId\""`
do
echo $j
for r in `echo $j | awk -F'"' '{print $4}'`
do
# echo $r
echo 'db.rule.find({"_id" : "'"$r"'"}, {"parameters.name" : 0}).toArray()' | mongo sa -u deploy_admin -p netwitness --authenticationDatabase admin | grep "\"name\""
echo 'db.rule.find({"_id" : ObjectId("'"$r"'")}, {"parameters.name" : 0, "statements.name" : 0}).toArray()' | mongo sa -u deploy_admin -p netwitness --authenticationDatabase admin | grep "\"name\""
echo ""
echo ""
done
done
done

exit

3) Save the file

4) Make the file executable

# chmod +x get_rules_by_deployment.sh

5) execute the script

# ./get_rules_by_deployment.sh

Sample output...

[root@saserver ~]# ./get_rules_by_deployment.sh
Deployment Name "ESA" contains the following rule IDs with Friendly Name
                                                        "ruleId" : "5e71108e45cedec378cfc624",

                              "name" : "securesoft",

Deployment Name "ESA test" contains the following rule IDs with Friendly Name
                                                        "ruleId" : "esa000111",
                              "name" : "Logins across Multiple Servers",

                                                        "ruleId" : "esa000018",
                              "name" : "Failed Logins Followed By Successful Login Password Change",