To deploy custom ESA rules using the above listed meta keys, the rules must be updated to use the array syntax and then redeployed. For example:
threat_category = 'rig'
'rig' = ANY(threat_category)
If you had any of the above listed rules deployed before 11.3, note any rule parameters that you have changed in order to adjust the rules for your environment. Download the updated rules from RSA Live. Reapply any changes to the default rule parameters and deploy the rules. (For instructions, see “Download RSA Live ESA Rules” in theAlerting with ESA Correlation Rules User Guide for RSA NetWitness® Platform 11.3.
RSA NetWitness Logs and Packets 11.2 and Prior
To deploy RSA Live ESA rules using these keys, the meta keys must be added to the ESA service using the multi-valued type. In addition, any custom ESA rules using these meta keys must be updated to use array syntax. The steps below explain how to add the meta keys to the ESA service with the multi-valued type.
In the RSA Security Analytics UI, go to Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames.
In the ArrayFieldNames property, enter the meta keys separated by commas. Be sure to use underscores for multi-word meta keys.Image description