.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Edit the Incident Rules Export ZIP File
Edit the Incident Rules Export ZIP FileEdit the Incident Rules Export ZIP File
This procedure is optional and is for advanced users. When exporting incident rules from the Respond Incident Rules view, the exported incident rules file is a ZIP file in the format
- aggregation_rule_schema.json contains the incident rule schema.
-
-incident_rules_export.json contains the incident rules.
You can import this ZIP file on another NetWitness Server on the same release version.
There may be situations when you need to edit the these files before you import them to another NetWitness Server.
To edit the incident rules export files:
- Follow the Incident Rule Export Files Editing Guidelines below to edit the export files.
- Before importing, verify that the ZIP file does not contain additional files or folders. The ZIP file should contain only the mandatory aggregation_rule_schema.json and
-incident_rules_export.json files to go through the import. Any files other than these two cause the import to fail.
For example, when compressing files on a Mac, it adds a temp folder __MACOSX that needs to be excluded while zipping the file.
Note: You cannot export Advanced rules.
Incident Rule Export Files Editing GuidelinesIncident Rule Export Files Editing Guidelines
Ensure that the following fields have at least one value. Removing a value or having an empty value for the following fields results in abnormal behavior.
- Field: name
- Possible Values: A-Z a-z 0-9 " !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
- Field: groupByFields
- Possible Values: A Minimum of 1 or a Maximum of 2 group_by keys should be present in aggregation_rule_schema.json.
- Field: timeWindow
- Possible Values:
A String value in the following accepted formats:
Days – Min:1d Max: 24d
Hours – Min: 1h Max: 100h
Minutes – Min: 1m Max :100m
- Field: action
- Possible Values:
Should be one of following values:
GROUP_INTO_INCIDENT
SUPPRESS_ALERT
- Field: incidentScoringOptions
- Possible Values: Should be one of the following string values:
average: Average of Risk Score across all of the Alerts
high: Highest Risk Score available across all of the Alerts
count: Number of Alerts in the time window
- Field: priorityScale
- Possible Values: Condition: LOW < MEDIUM < HIGH < CRITICAL
- Field:
- Possible Values:
- Column 3:
Sub Fields
- Column 4: Possible Values
- Column 5: MEDIUM
- Column 6: 1-100
- Column 7: CRITICAL
- Column 8: 1-100
- Column 9: HIGH
- Column 10: 1-100
- Column 11:
LOW
- Column 12: 1-100
- Field:
Sub Fields
- Possible Values: Possible Values
- Field: MEDIUM
- Possible Values: 1-100
- Field: CRITICAL
- Possible Values: 1-100
- Field: HIGH
- Possible Values: 1-100
- Field:
LOW
- Possible Values: 1-100
- Field: uiFilterConditions
- Possible Values: Sample UI Conditions Filter Structure
- Field:
- Possible Values:
- Column 3: Sub Fields
- Column 4: Possible Values
- Column 5: filterType
- Column 6:
FILTER
FILTER_GROUP
Possible values for FILTER are listed below.
- Column 7: property
- Column 8: value: fetched from aggregation_rule_schem.json
- Column 9: operator
- Column 10: operators
- Column 11: value
- Column 12:
type: dictates the data type.
Available options:textfield: String
combobox : from a list of options available in the json
datefield: unix time stamp, for example: 2019-06-12T12:00:00Z
numberfield: Integer
- Field: Sub Fields
- Possible Values: Possible Values
- Field: filterType
- Possible Values:
FILTER
FILTER_GROUP
Possible values for FILTER are listed below.
- Field: property
- Possible Values: value: fetched from aggregation_rule_schem.json
- Field: operator
- Possible Values: operators
- Field: value
- Possible Values:
type: dictates the data type.
Available options:textfield: String
combobox : from a list of options available in the json
datefield: unix time stamp, for example: 2019-06-12T12:00:00Z
numberfield: Integer
- Field: incidentCreationOptions
- Possible Values: ruleSummary: String
categories: JSON
array assignee: JSON