|Applies To||RSA Product Set: NetWitness Logs & Packets|
RSA Product/Service Type: Respond Server, Incident Management
RSA Version/Condition: 11.x
|Issue||Sometimes, when you try to test or deploy certain Incident rules on Respond, you may get the error "Unexpected token: 'exists'" :|
You can also see "Invalid expression" error when trying to edit the rule:
|Cause||Some Rules Are Invalid for Version 11.x|
For example the rules "NetWitness Incident Management - Alert Details" and "NetWitness Incident Management - Incident Summary" are not valid for RSA NetWitness Platform version 11.x.
|Resolution||Please do not deploy these rules to an 11.x system.|
Note: Rules are updated frequently, and the documentation for them is available in the Content space on RSA Link. For the latest information on Rules, see RSA NetWitness Rules (https://community.rsa.com/docs/DOC-43419).
This problem is also documented in the Live Services Management Guide (Troubleshooting Chapter).