|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: SA Security Analytics UI
RSA Version/Condition: 10.5.0 and 10.5.0.1
O/S Version: 6
|Issue||When attempting to utilize query prefixes to limit what device types a user can see in Investigation -> Navigate window, a single device.type prefix works as expected, but when adding a second device.type prefix, no results are rendered.|
Here is an example use case:
A user has a single role with the following query prefix such as: device.type = 'ciscosecureacs', this works as expected.
Next, add a second query prefex, such as device.type = 'forescoutcounteract'. When the second device.type is added, no search results are returned.
In tailing the /var/log/messages, it appears that an “AND” search operation is being performed, where as an “OR” operation would be appropriate.
|Cause||This has been deemed as flawed functionality by RSA Engineering.|
|Resolution||This issue is slated to be fixed in 10.5.1 (service pack 1) for Security Analytics 10.5.|
|Workaround||No workaround exists for this issue, only 1 query prefix may be used in 10.5.0 and 10.5.0.1.|