How to delete alerts on RSA Security Analytics ESA appliances 10.4.x and above using Mongodb

Issue

When the number of alerts stored in the ESA database have reached such a high quantity that the database size becomes very large, performance can be negatively impacted.
This happens when the ESA storage maintenance is not been set as per the below article:-
https://community.rsa.com/docs/DOC-4558

Resolution

How to delete ALL/SPECIFIC alerts from the ESA Appliance in order to reduce the database size:-

1) Connect to the ESA appliance via SSH
2) Connect to the ESA alert database
#mongo esa -u esa -p esa
3) Below are some commands to delete the alerts:-

• Delete all alerts from the specific rule.

(In the example below, all alerts from the rule 'Badrule24' are deleted.)
> db.alert.remove({ module_name: 'Badrule24'})

• Delete all alerts from a specific rule during a time period.

(In the example below, all alerts from the rule 'rule_abc' are deleted that occurred between 11/1/2014 and 12/1/2014.)
> db.alert.remove( { module_name: 'rule_abc'}, {time: { $gte: ISODate('2014-11-01'), $lt: ISODate('2014-12-01') }})

• Delete all alerts from all ESA rules during a time period.

(In the example below, all alerts from all ESA rules are deleted that occurred between 11/1/2014 and 12/1/2014.)
> db.alert.remove({time: { $gte: ISODate('2014-11-01'), $lt: ISODate('2014-12-01') }})

• Delete all the alerts filtering from a specific source IP in the rule.

(In the example below, all the alerts coming from IP 1.1.1.1 in rule_abc are deleted)
>db.alert.remove({ $and: [ { "module_name:'rule_abc":},{ "event.ip_src": "1.1.1.1"} ] } )

4) After deleting the alerts, re-Indexing is required which can be done using article 000030293

5) >Exit 

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.4.x and above
Platform: CentOS

Approval Reviewer Queue

ASOC Approval Group