000037096 - When deploying some Incident rules from Live on Respond in RSA NetWitness Logs & Packets, you get the errors: "Invalid expression" or "Unexpected token: 'exists'"

Document created by RSA Customer Support Employee on Jan 14, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037096
Applies ToRSA Product Set: NetWitness Logs & Packets
RSA Product/Service Type: Respond Server, Incident Management
RSA Version/Condition: 11.x
IssueSometimes, when you try to test or deploy certain Incident rules on Respond, you may get the error "Unexpected token: 'exists'" :

User-added image

You can also see "Invalid expression" error when trying to edit the rule:

User-added image

CauseSome Rules Are Invalid for Version 11.x

For example the rules "NetWitness Incident Management - Alert Details" and "NetWitness Incident Management - Incident Summary" are not valid for RSA NetWitness Platform version 11.x. 
ResolutionPlease do not deploy these rules to an 11.x system.

Note: Rules are updated frequently, and the documentation for them is available in the Content space on RSA Link. For the latest information on Rules, see RSA NetWitness Rules (https://community.rsa.com/docs/DOC-43419).

This problem is also documented in the Live Services Management Guide (Troubleshooting Chapter).