000030584 - Graphical data incorrect in Investigation when using a user query_prefix in Security Analytics 10.4.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030584
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI
RSA Version/Condition:
IssueInvestigations performed against a Core Service by a User with Query Prefix result in accurate meta values, but inappropriate graphical representation. The graphical representation displays event count for all events collected by respective Service over the set duration without considering the Query_Prefix set at User level. 
As shown in the example below, when a user's Query_Prefix set to domain.dst='msn.com', the meta values displayed are accurate, but the graphical representation displays event count for all events collected by the Service.
User-added image
CauseThis is identified as a flaw in 10.4 version, and is expected to be fixed in a future release of 10.5.X.  
ResolutionPlease see the workaround section for how to manage the issue until binary relief is included in a future release of Security Analytics.
WorkaroundThe behavior described is observed upon initiating the Investigation session itself. The issue can be worked around by clicking on various meta values or drill downs on the current page.  Upon this action, the page will display accurate values in graphical representation.
If you are unsure of any of the steps above, or wish to inquire if the fix is available yet, please contact RSA Technical Support, and quote this article number for further assistance.