000037499 - Event Stream Analysis (ESA) rule is disabled after being deployed in RSA NetWitness Logs and Packets 10.6 and higher

Document created by RSA Customer Support Employee on May 20, 2019Last modified by RSA Customer Support Employee on May 20, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000037499
Applies ToRSA Product Set:  NetWitness Logs and Packets
RSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition:  10.6, 11.0, 11.1, 11.2, 11.3
Platform: CentOS
O/S Version: EL6, EL7
 
IssueAn ESA rule is disabled after being deployed to the ESA service and reports the error below.
 
ESA was unable to deploy one or more rules, and these rules were disabled.  Common issues include:  missing metadata, invalid rule syntax, and unavailable external connections at the time of deployment. 

 

User-added image
 

The ESA log level WARN contains the following message:
 

Implicit conversion from datatype 'String' to 'String[]' is not allowed

 

User-added image
 


User-added image
CauseWithin the ESA service some meta keys were changed from a string type to a multi-valued type. This affected the following rules:
 
Rule #Rule NameArray Type Meta Keys in 11.3
1RIG Exploit Kitthreat_category
2AWS Critical VM Modifiedalert
3Multiple Successful Logins from Multiple Diff Src to Same Desthost.src and host.dst
4Multiple Successful Logins from Multiple Diff Src to Diff Desthost.src and host.dst
5Multiple Failed Logins from Multiple Diff Sources to Same Desthost.src and host.dst
6Multiple Failed Logins from Multiple Users to Same Destinationhost.src and host.dst
7User Login Baselinehost.src and host.dst
Resolution

To change the string type meta keys to string array type meta keys in RSA NetWitness Logs and Packets 11.3, see “Configure Meta Keys as Arrays in ESA Correlation Rule Values” in the ESA Configuration Guide for RSA NetWitness® Platform 11.3.


 

RSA NetWitness Logs and Packets 11.3


To deploy custom ESA rules using the above listed meta keys,  the rules must be updated to use the array syntax and then redeployed.  For example:
 
String SyntaxArray Syntax
threat_category = 'rig''rig' = ANY(threat_category)



If you had any of the above listed rules deployed before 11.3, note any rule parameters that you have changed in order to adjust the rules for your environment. Download the updated rules from RSA Live. Reapply any changes to the default rule parameters and deploy the rules. (For instructions, see “Download RSA Live ESA Rules” in the Alerting with ESA Correlation Rules User Guide for RSA NetWitness® Platform 11.3.


 

RSA NetWitness Logs and Packets 11.2 and Prior


To deploy RSA Live ESA rules using these keys, the meta keys must be added to the ESA service using the multi-valued type.  In addition, any custom ESA rules using these meta keys must be updated to use array syntax.  The steps below explain how to add the meta keys to the ESA service with the multi-valued type.

  1. In the RSA Security Analytics UI, navigate to Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource ArrayFieldNames.

User-added image


  1. In the ArrayFieldNames property, enter the meta keys separated by commas.  Be sure to use underscores for multi-word meta keys.User-added image
  2. Restart the ESA service.

Attachments

    Outcomes