AnsweredAssumed Answered

Multiple app rules using the same metakey

Question asked by Matthew McCallum on Oct 17, 2016
Latest reply on Oct 20, 2016 by Matthew McCallum

I am having trouble creating ESA alerts that trigger when the alert.id metakey is populated by an app rule. The issue is that there are multiple app rules using the alert.id field and ESA alerts appear to only trigger on the first alert.id value (based on event view packets can have multiple alert.id values).

 

Is there a way to have ESA alerts work with multiple alert.id fields? The only way to insure that multiple alert.ids aren't applied to the same packet would be to have only one app rule use that metakey and have every other app rule use different unique metakeys, which does not seem sustainable or desirable. I have tried contains instead of is for the ESA matching condition, but it doesn't help.

Outcomes