|Applies To||RSA Product Set: Security Analytics, ESA|
RSA Version/Condition: 10.4.X
|Issue||In certain instances, deleted rules may be incorrectly triggering alerts on Security Analytics ESA appliances.|
Observe that the rule count differs in GUI->Alert->Configuration, as seen below:
|Cause||All rules are maintained in the ESA database, and ESA records must be sync'd properly to purge deleted rules. When ESA 10.4.X synchronization is in inconsistent state, reference records may become orphaned until they are purged. Until all references of the rules are purged from the database, these deleted rules may still trigger alerts.|
|Resolution||Please use attached FixEsaRecords.js script to on the SA server to delete orphaned rules. |
1. Copy the FixEsaRecords.js to SA server using any secure scp tool to the /root directory.
2. Now, ssh to the SA server as root, cd /root, and execute the script as shown with the syntax below:
mongo localhost:27017/sa < FixEsaRecords.js
3. After running the script, the rule count should reflect an accurate match in the SA UI.