|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Incident Management, Event Stream Analysis (ESA), Security Analytics UI
RSA Version/Condition: 10.5.x
O/S Version: EL6
|Issue||Newly created Incident Management (IM) aggregation rules for ESA alerts are processing old alerts.|
For instance, if an aggregation rule is created today, alerts in Incident Management Alerts Or SecOps Incidents contain alerts going as far back as a couple of months.
|Cause||By default, aggregation rules will look up all the alerts in the alert database.|
|Resolution||In the aggregation rule, there is an option to select alerts based on "Date Created". |
Add a condition for "Date Created" that is greater than or equal to the date desired in the aggregation rule itself.