Skip to content
  • There are no suggestions because the search field is empty.

How to Selectively Manage or Delete Alerts/Incidents in the ESA Host Mongo Database

Issue

How to remove alerts/incidents within a timeframe from mongo db level in NW 11.x.


Resolution

Below steps are to be run on the Host CLI, avoiding the need to log in and enter the Mongo command prompt.

Please ensure to stop the corresponding services before removal of any alerts/incidents using the below commands:

# systemctl stop rsa-nw-correlation-server      --- on the ESA Host
# systemctl stop rsa-nw-respond-server          --- on the NwAdmin Host

You may select below sample commands to run via the OS CLI and the outputs/results are redirected to a text file.
Note: To specify the time frame, 'gte' date is the oldest limit while the 'lte' date is the newest limit.   Practice first in viewing and counting before you remove.  

>To check on alerts count within the specified time frame:
# echo 'db.alert.count({$and: [{ receivedTime:{$gte: ISODate("1989-08-06T00:00:00.643Z")}},{receivedTime: {$lte: ISODate("2020-05-21T00:00:00.643Z")}}]})' |mongo respond-server --authenticationDatabase admin -u deploy_admin -p netwitness > /root/alert_count.txt

>To find or list all alerts within the specified time frame:
# echo 'db.alert.find({$and: [{ receivedTime:{$gte: ISODate("1989-08-06T00:00:00.643Z")}},{receivedTime: {$lte: ISODate("2020-05-21T00:00:00.643Z")}}]}).pretty()' |mongo respond-server --authenticationDatabase admin -u deploy_admin -p netwitness > /root/alert_find.txt

>To remove alerts within the specified time frame:
# echo 'db.alert.remove({$and: [{ receivedTime:{$gte: ISODate("1989-08-06T00:00:00.643Z")}},{receivedTime: {$lte: ISODate("2020-05-21T00:00:00.643Z")}}]}).pretty()' |mongo respond-server --authenticationDatabase admin -u deploy_admin -p netwitness > /root/remove_alerts.txt

>To reindex the alert collection after remove:
# echo 'db.alert.reIndex()' |mongo respond-server --authenticationDatabase admin -u deploy_admin -p netwitness > /root/reindex_alerts.txt

---

>To check on incidents count within the specified time frame:
#  echo 'db.incident.count({$and: [{ created:{$gte: ISODate("1989-08-06T00:00:00.643Z")}},{created: {$lte: ISODate("2020-10-23T00:00:00.643Z")}}]})' |mongo respond-server --authenticationDatabase admin -u deploy_admin -p netwitness > /root/incident_count.txt

>To find or list all incidents within the specified time frame:
# echo 'db.incident.find({$and: [{ created:{$gte: ISODate("1989-08-06T00:00:00.643Z")}},{created: {$lte: ISODate("2020-10-23T00:00:00.643Z")}}]}).pretty()' |mongo respond-server --authenticationDatabase admin -u deploy_admin -p netwitness > /root/incident_find.txt

>To remove incidents within the specified time frame:
# echo 'db.incident.remove({$and: [{ created:{$gte: ISODate("1989-08-06T00:00:00.643Z")}},{created: {$lte: ISODate("2020-10-23T00:00:00.643Z")}}]}).pretty()' |mongo respond-server --authenticationDatabase admin -u deploy_admin -p netwitness > /root/remove_incidents.txt

>To reindex the incident collection after remove:
# echo 'db.incident.reIndex()' |mongo respond-server --authenticationDatabase admin -u deploy_admin -p netwitness > /root/reindex_incidents.txt

Do not forget to start back the services after performing the remove/reindex of the alerts or incidents.

# systemctl start rsa-nw-correlation-server      --- on the ESA Host
# systemctl start rsa-nw-respond-server          --- on the NwAdmin Host


Product Details

RSA Product Set: NetWitness Platform
RSA Product/Service Type: Event Stream Analysis
RSA Version/Condition: 11.x
Platform: CentOS7

Summary

There are times that we require to delete certain alerts/incidents within a time frame and this KB enables you to do that manually via the mongo database.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue