Multiple values for same metakey ?
I happened to create a custom-feed for metakey value threat_source. I used this custom feed in a EPL rule. But problem is in some cases threat_source have two values i.e lets say IP address 10.10.1.1 is belongs to threat_source 'rsafirst-watch' as well it belongs threat_source 'custom-feed'. This is causing problem in triggering alert. So if there are two values for a single metakey will RSA ignore one of them ( in this case RSA is not considering threat_source as 'customfeed') ?
- Community Thread
- correlation rule
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
We are using defaul parser trendmicrodsa (updated from live) but observing multiple values for single meta (alias.host).
Any help to fix this would be appreciated.