Skip to content
  • There are no suggestions because the search field is empty.

How to export All ESA Rules to CSV File in NetWitness

Issue

Customers need to export all ESA rules for review.


Resolution

Logon to the Admin Server (NW-NODE-ZERO) via ssh as root and run the following command (you will be prompted for the deploy_admin password to connect): 

mongoexport --host localhost --authenticationDatabase admin --username deploy_admin -d source-server -c esaRule -o /root/rules.csv --fields _id,class,statements,conditions,outputActions,dateModified

An example result of 447 rules being exported:

2024-04-26T21:55:10.210+0000    connected to: mongodb://localhost/
2024-04-26T21:55:10.243+0000    exported 447 records


The command will export the rules to /root/rules.csv . That location can be changed by adjusting the following value in the above command: 

-o /root/rules.csv


The following is the sample output from this command:

head /root/rules.csv 
{"_id":{"$oid":"569969fff28025e279bb1959"},"statements":[{"_id":"88192576-842b-47ff-9a2b-abab09892a3f","name":"User Added to Admin Group","conditionType":"AllMet","statementLines":[{"statementId":"","metaKeyId":"medium","conditionId":"Is","value":"32","array":false,"evaluationType":"Is","ignoreCase":false},{"statementId":"","metaKeyId":"device_class","conditionId":"Is","value":"Unix","array":false,"evaluationType":"Is","ignoreCase":false},{"statementId":"","metaKeyId":"user_dst","conditionId":"IsNotNull","value":"","array":false,"evaluationType":"IsNotNull","ignoreCase":false},{"statementId":"","metaKeyId":"ec_subject","conditionId":"Is","value":"Group","array":false,"evaluationType":"Is","ignoreCase":false},{"statementId":"","metaKeyId":"ec_activity","conditionId":"Is","value":"Modify","array":false,"evaluationType":"Is","ignoreCase":false},{"statementId":"","metaKeyId":"ec_outcome","conditionId":"Is","value":"Success","array":false,"evaluationType":"Is","ignoreCase":false},{"statementId":"","metaKeyId":"group","conditionId":"Is","value":"wheel, root","array":true,"evaluationType":"Is","ignoreCase":true}],"enrichmentStatements":[]},{"_id":"e6df6aa8-87ee-43de-a6c0-3a7b82ed93af","name":"Successful Sudo","conditionType":"AllMet","statementLines":[{"statementId":"","metaKeyId":"medium","conditionId":"Is","value":"32","array":false,"evaluationType":"Is","ignoreCase":false},{"statementId":"","metaKeyId":"device_class","conditionId":"Is","value":"Unix","array":false,"evaluationType":"Is","ignoreCase":false},{"statementId":"","metaKeyId":"user_dst","conditionId":"IsNotNull","value":"","array":false,"evaluationType":"IsNotNull","ignoreCase":false},{"statementId":"","metaKeyId":"event_desc","conditionId":"Is","value":"successful su, successful sudo","array":true,"evaluationType":"Is","ignoreCase":true}],"enrichmentStatements":[]}],"conditions":[{"_id":"557170e9-fa9a-4a77-826f-27c65fd48851","connectorType":"FOLLOWED_BY","statementId":"88192576-842b-47ff-9a2b-abab09892a3f","joinOn":"","occur":1},{"_id":"5aa3512f-4dde-4b56-924d-b363bd606415","connectorType":"NONE","statementId":"e6df6aa8-87ee-43de-a6c0-3a7b82ed93af","joinOn":"","occur":1}],"outputActions":[]}


 


Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Admin Server, Correlation-Server
NetWitness Version/Condition: 12.x
Platform: Centos/AlmaLinux
 


Summary

Use these steps to export all ESA rules to a CSV formatted file.


Approval Reviewer Queue

Technical approval queue