000035446 - The policy.name meta key is returning multiple values for the same key in RSA Security Analytics

Document created by RSA Customer Support Employee on Aug 12, 2017Last modified by RSA Customer Support Employee on Aug 18, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035446
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Packets
RSA Product/Service Type: Log Decoder, Concentrator, Event Stream Analysis
RSA Version/Condition: 10.4, 10.5, 10.6
Issuepolicy.name parses two different values and appears to conflict what values to use in creating rules.
Causepolicy.name has been brought over from RSA enVision and has included both policy.name and signature.name under the same key on index-table-map.xml.
<mapping envisionName="signame" nwName="policy.name" flags="None" envisionDisplayName="SignatureName"/>
<mapping envisionName="policyname" nwName="policy.name" flags="None" envisionDisplayName="PolicyName"/>

WorkaroundTo separate the confusion from policy.name and signature name you can add to table-map-custom.xml on the log decoder and index-concentrator-custom.xml on the concentrator.
On the log decoder in table-map-custom.xml add:
<mapping envisionName="signame" nwName="sig.name" flags="None" envisionDisplayName="SignatureName"/>

On the concentrator in index-concentrator-custom.xml add:
<key description="Sig Name" level="IndexValues" name="sig.name" format="Text" valueMax="10000" />
NotesFor more information on the creation of custom meta keys please refer to the RSA Security Analytics documentation.