|Applies To||RSA Product Set: NetWitness Logs & Packets, Security Analytics|
RSA Version/Condition: 10.x, 11.x
O/S Version: 6, 7
Users may see duplicated meta data when they subscribe to the new Investigation Feed.
The Investigation Feed is meant to immediately replace the Hunting Feed, and in the near term, also replace the Alert IDs feeds.
The Hunting Feed generated the same text-based name of the content logic into one of the six Hunting meta keys. Since Content now directly writes to one of the six Hunting meta keys, the Hunting Feed is no longer necessary.
Going forward, Content will only write to one of the six Hunting meta keys. Previously, Content wrote to the Alert ID meta key. The three Alert IDs Feeds use the Alert ID meta key to generate a text-based name of the content to one of the meta keys of Risk: Informational, Risk: Suspicious, or Risk: Warning. These keys are deprecated in favor of the Hunting keys, but are still active in Live.
The Alert ID feeds are still in Live for the following reasons:
Note the following duplication of data issues:
Example of duplicated data:
RSA recommends the immediate removal of the Hunting Feed from the Log Decoders and Packet Decoders.
If you actively use the Risk: Informational, Risk: Suspicious, and Risk: Warning meta keys within your system, RSA recommends you leave the Alert ID Feeds in place for now.
We recommend that you update your Content and processes to use the Hunting and Investigation keys. Then, you can and should removed the Alert IDs Feeds from your Log Decoders and Decoders. Once you have removed these feeds from your system, you will no longer receive duplicate meta values.