|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Security Analytics Server, Event Stream Analysis (ESA)
RSA Version/Condition: 10.5.x, 10.6.x
O/S Version: EL6
|Issue||When a rule is created and deployed using an in-memory enrichment and rows are later removed or added from the .CSV file, if the corresponding rule is deployed, alerts are not fired as expected.|
|Resolution||This issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release.|
|Workaround||If rows are added to the .CSV file, remove the rule from deployment and deploy it again.|
However, if rows are removed this solution does not work. In the case of removed rows, you can work around this issue by removing the existing enrichment source (via Alerts > Configure > Settings > Enrichment Sources) and uploading the updated .CSV file using a different name. Then, manually add the in-rule enrichment to the rule, and redeploy the rule.