Security Analytics 10.4: How to delete a rule date range on an ESA system

Issue

An ESA rule that is not optimized ESA can generate an excessive amount of of data.  This can be detrimental to both system and process performance. By deleting a date range for the rule that introduced the issue, the ESA process and system itself can be restored to optimal functionality.

Resolution

The following process details how to perform this function:

STOP PUPPET SERVICE IN ESA
[root@rsaesa-001-0 ~]# service puppet stop
Stopping puppet agent:                                     [  OK  ]

STOP ESA SERVICE
[root@rsaesa-001-0 ~]# service rsa-esa stop
Stopping RSA NetWitness ESA :: Server...
Stopped RSA NetWitness ESA :: Server.

CONNECT TO MONGODB IN ESA
SYNTAX OF RULE is listed in TIME TO TIME
db.alert.remove({ $and: [{ time:{$gte: ISODate("YYYY-MM-DDTHH:MM:SSZ")}},{ time: {$lte: ISODate(""YYYY-MM-DDTHH:MM:SSZ"")}},{module_name: "RULENAME"}]})

[root@rsaesa-001-0 ~]# mongo esa -u esa -p esa
TokuMX mongo shell v1.4.2-mongodb-2.4.10
connecting to: esa
>db.alert.remove({ $and: [{ time:{$gte: ISODate("2015-01-20T21:18:44Z")}},{ time: {$lte: ISODate("2015-01-20T21:18:47Z")}},{module_name: "Badrule2"}]})
> ^C
Bye

START ESA SERVICE (PUPPET WILL START ESA SERVICE)
[root@rsaesa-001-0 ~]# service puppet start
Starting puppet agent:                                     [  OK  ]

[root@rsaesa-001-0 ~]# service rsa-esa status
RSA NetWitness ESA :: Server is running (23329).

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.4.x
Platform: CentOS

Summary

This article details how to delete a rule date range on ESA 10.4.

Approval Reviewer Queue

ASOC Approval Group