How to delete generated alerts from an ESA rule in RSA Security Analytics 10.4 and above

Issue

If a rule is enabled by mistake, it may overload the mongo ESA database with a flood of alerts.
An excess of alerts may also result in the database becoming too large to properly return results in the Security Analytics UI.

Resolution

One way to fix this issue is to delete all alerts generated by these rules, which can be done with the steps below.

Connect to the ESA appliance via SSH as the root user.
Stop the puppet service on the appliance.
[root@ESA ~]# service puppet stop
Stopping puppet agent: [ OK ]
Stop the ESA service on the appliance.
[root@ESA ~]# service rsa-esa stop
Stopping RSA NetWitness ESA :: Server...
Stopped RSA NetWitness ESA :: Server.
Connect to the mongo ESA alerts database.
[root@rsaesa-001-0 ~]# mongo esa -u esa -p esa
TokuMX mongo shell v1.4.2-mongodb-2.4.10
connecting to: esa
>
At the shell prompt, use one or more of the methods below to delete alerts.
- Delete all alerts from a specific rule.
  (In the example below, all alerts from the rule 'Badrule24' are deleted.)
  > db.alert.remove({ module_name: 'Badrule24'})
- Delete all alerts from a specific rule during a time period.
  (In the example below, all alerts from the rule 'rule_abc' are deleted that occurred between 11/1/2014 and 12/1/2014.)
  > db.alert.remove( { module_name: 'rule_abc'}, {time: { $gte: ISODate('2014-11-01'), $lt: ISODate('2014-12-01') }})
- Delete all alerts from all ESA rules during a time period.
  (In the example below, all alerts from all ESA rules are deleted that occurred between 11/1/2014 and 12/1/2014.)
  > db.alert.remove({time: { $gte: ISODate('2014-11-01'), $lt: ISODate('2014-12-01') }})
Exit the mongo database to return to the command prompt.
> exit
bye
[root@ESA ~]#
Start the puppet service, which will also start the ESA service.
[root@ESA ~]# service puppet start
Starting puppet agent: [ OK ]

[root@ESA ~]# service rsa-esa status
RSA NetWitness ESA :: Server is running (25378).

Notes

To identify how many alerts are present in the mongo database and to confirm that the alerts were deleted successfully, issue the command below.

 db.alert.aggregate( [{ $group: { _id: "$module_name", count: { $sum: 1 }}}, { $sort: { count: 1 }}])

To query for alerts in the database that occurred during a specific time period, issue the command below.

 db.alert.aggregate(
 
 [{ $match: { time: { $gte: ISODate("2014-11-01"), $lt: ISODate("2014-12-01") }}},
 
 { $group: { _id: "$module_name", count: { $sum: 1 }}},
 
 { $sort: { count: 1 } }])

To query for alerts in the database and display the first 5 results.

 db.alert.find().limit(5)

To query for alerts in the database and display the first 5 results in easy-to-read format.

 db.alert.find().limit(5).pretty()

To query for alerts in the database with a specific alert name and matching condition (ip_src in this example). Hint: Run the above command first to find the array name (events) surrounding the meta key (ip_src).

 db.alert.find({ $and: [ { "module_name": "Alert name goes here"},{ "events.ip_src": "xxx.xxx.xxx.xxx"} ] },{"_id":1,"module":1,"events.ip_src":1} )

To count the number of alerts in the database matching the condition.

 db.alert.find({ $and: [ { "module_name": "Alert name goes here"},{ "events.ip_src": "xxx.xxx.xxx.xxx"} ] }).count()

To remove alerts matching the condition.

 db.alert.remove({ $and: [ { "module_name": "Alert name goes here"},{ "events.ip_src": "xxx.xxx.xxx.xxx"} ] })

Internal Comments

Pablo Trigo -- 1/21/2015
Keeping this procedure as internal, CS should walk customers through the process.

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
Platform (Other): MongoDB
O/S Version: EL6

Summary

This article details how to delete generated alerts from an ESA rule in Security Analytics 10.4 and above.

Approval Reviewer Queue

ASOC Approval Group