This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to manually disable Incident Management Aggregation Rules in Security Analytics

Article Number

000034450

Applies To

RSA Product Set: NetWitness Logs and Packets, Security Analytics
RSA Product/Service Type: Incident Management
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
O/S Version: 6
 

Issue

How to manually disable an Aggregation Rule in SA Incident Management (IM) if you can't perform this through the SA UI.
 

Resolution

1. Check where the IM database is hosted.
In Administration \ Services select the Incident Management service and select View \ Explore
Expand left hand pane to show Service \ Configuration \ database and examine the Host value which should correspond to an ESA appliance/VM.

2. SSH to ESA and attempt to log into the IM database 

# mongo im -u im -p <password>

Example: 

# mongo im -u im -p im
Note: Command assumes that im service password is default.

3. Display Aggregation Rules 

> db.aggregation_rule.find()

4. Disable Rule in mongo DB
Assuming you wanted to disable this aggregation rule: 

{ "_id" : ObjectId("5771d59df280f56c75348d27"), "_class" : "com.rsa.smc.im.domain.bean.AlertRule", "order" : 1, "enabled" : true, "deleted" : false, "name" : "Suspected Command & Control Communication By Domain", "description" : "This incident rule captures suspected communication with a Command & Control server and groups results by domain.", "ruleId" : "OOTB#1", "uiFilterConditions" : "{\"alertRuleFilterGroup\":{\"filterType\":\"FILTER_GROUP\",\"logicalOperator\":\"and\",\"filters\":[{\"alertRuleFilter\":{\"filterType\":\"FILTER\",\"property\":\"alert.source\",\"operator\":\"=\",\"value\":\"Event Stream Analysis\"}},{\"alertRuleFilter\":{\"filterType\":\"FILTER\",\"property\":\"alert.signature_id\",\"operator\":\"=\",\"value\":\"Suspected C&C\"}}]}}", "matchConditions" : "{\"$and\":[{\"alert.source\":\"Event Stream Analysis\"},{\"alert.signature_id\":\"Suspected C&C\"}]}", "advancedUiFilterConditions" : false, "groupByFields" : [  "alert.groupby_domain" ], "timeWindow" : "7d", "action" : "GROUP_INTO_INCIDENT", "incidentCreationOptions" : { "ruleTitle" : "Suspected C&C with ${groupByValue1}", "ruleSummary" : "Security Analytics detected communications with ${groupByValue1} that may be command and control malware.\n\n1. Evaluate if the domain is legitimate (online radio, news feed, partner, automated testing, etc.).\n2. Review the domain registration for suspect information (Registrant country, registrar, no registration data found, etc).\n3. If the domain is suspect, go to the Investigation module to locate other activity to or from it.", "assignee" : null, "categories" : [ ] }, "incidentScoringOptions" : { "type" : "high" }, "priorityScale" : { "HIGH" : "50", "MEDIUM" : "20", "LOW" : "1", "CRITICAL" : "90" }, "notificationOptions" : {  }, "alertsMatchedCount" : 0, "incidentsCreatedCount" : 0 }

Put the correct ObjectId in quotes below: 

> db.aggregation_rule.update( { "_id" : ObjectId("5771d59df280f56c75348d27") }, { $set: { "enabled" : false } } )

5. Exit mongo db 

> exit
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-23 11:30 AM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.