000029168 - Queries against the subject meta key produce false positives in RSA Security Analytics 10.3 SP3

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029168
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI
RSA Version/Condition: 10.3.3
Platform: CentOS
IssueWhen performing an exact match query against the subject meta key (i.e. subject = 'conference') while performing Security Analytics investigations, sessions with false positives are returned.  This can result in inaccurate alerts and reports.
In the example below, the query subject = 'conference' was performed, however the returned results include sessions that merely include the word "conference" within the subject.
Screenshot of an event showing the subject meta.
CauseBy default, the indexing level of the subject meta key is set to "IndexKeys" in the /etc/netwitness/ng/index-concentrator.xml file.  As this is the case, the meta key is affected by a known defect defined by the internal tracking number SACE-1055 in which the query engine treats queries such as select session_id where subject = 'anything' as if they were select session_id where subject exists instead.
ResolutionIn order to permanently resolve the issue, one of the action plans below must be performed.
WorkaroundAs an alternative workaround for the issue, an entry similar to the example below can be added to the index-concentrator-custom.xml file of the affected concentrator(s) to change the indexing level from "IndexKeys" to "IndexValues" for the subject meta key.
<?xml version="1.0" encoding="utf-8"?>
<language level="IndexNone" defaultAction="Auto">
    <key description="Subject" level="IndexValues" name="subject" format="Text" valueMax="100000"/>

However, as the concentrator(s) would still be affected by the known defect mentioned above, this is not the recommended course of action.