000032746 - Rules containing a group-by statement with a multi-valued meta fail in RSA Security Analytics 10.6

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032746
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.6
Platform: CentOS
O/S Version: EL6
IssueRules containing a group-by statement with a multi-valued meta (such as alias_host) fails.
Steps to Reproduce
  1. Create an ESA Rule with a single statement, having a multi-valued meta field such as alias_host in the condition, and group by that meta value.
  2. Inject matching events and attached events.  The rule will not trigger.
ResolutionThis issue is resolved in Security Analytics 10.6.1.

Attachments

    Outcomes