000032434 - Newly created Incident Management (IM) aggregation rules for ESA alerts are processing old alerts in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032434
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Incident Management, Event Stream Analysis (ESA), Security Analytics UI
RSA Version/Condition: 10.5.x
Platform: CentOS
O/S Version: EL6
IssueNewly created Incident Management (IM) aggregation rules for ESA alerts are processing old alerts.
For instance, if an aggregation rule is created today, alerts in Incident Management Alerts Or SecOps Incidents contain alerts going as far back as a couple of months.
CauseBy default, aggregation rules will look up all the alerts in the alert database.
ResolutionIn the aggregation rule, there is an option to select alerts based on "Date Created". 

Add a condition for "Date Created" that is greater than or equal to the date desired in the aggregation rule itself.



User-added image

Attachments

    Outcomes