000032775 - RSA Security Analytics ESA rule is not triggering an alert for updated content of in-memory enrichment used in rule

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on May 7, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032775
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Server, Event Stream Analysis (ESA)
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
O/S Version: EL6
IssueWhen a rule is created and deployed using an in-memory enrichment and rows are later removed or added from the .CSV file, if the corresponding rule is deployed, alerts are not fired as expected.
ResolutionThis issue is fixed in the release. If you are not able to upgrade to that release, please try the following workaround.
WorkaroundIf rows are added to the .CSV file, remove the rule from deployment and deploy it again.

However, if rows are removed this solution does not work. In the case of removed rows, you can work around this issue by removing the existing enrichment source (via Alerts > Configure > Settings > Enrichment Sources) and uploading the updated .CSV file using a different name. Then, manually add the in-rule enrichment to the rule, and redeploy the rule.