|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Security Analytics UI
RSA Version/Condition: 10.3.3
|Issue||When performing an exact match query against the subject meta key (i.e. subject = 'conference') while performing Security Analytics investigations, sessions with false positives are returned. This can result in inaccurate alerts and reports.|
In the example below, the query subject = 'conference' was performed, however the returned results include sessions that merely include the word "conference" within the subject.
|Cause||By default, the indexing level of the subject meta key is set to "IndexKeys" in the /etc/netwitness/ng/index-concentrator.xml file. As this is the case, the meta key is affected by a known defect defined by the internal tracking number SACE-1055 in which the query engine treats queries such as select session_id where subject = 'anything' as if they were select session_id where subject exists instead.|
|Resolution||In order to permanently resolve the issue, one of the action plans below must be performed.|
|Workaround||As an alternative workaround for the issue, an entry similar to the example below can be added to the index-concentrator-custom.xml file of the affected concentrator(s) to change the indexing level from "IndexKeys" to "IndexValues" for the subject meta key.|
<?xml version="1.0" encoding="utf-8"?>
However, as the concentrator(s) would still be affected by the known defect mentioned above, this is not the recommended course of action.