I am having trouble creating ESA alerts that trigger when the alert.id metakey is populated by an app rule. The issue is that there are multiple app rules using the alert.id field and ESA alerts appear to only trigger on the first alert.id value (based on event view packets can have multiple alert.id values).
Is there a way to have ESA alerts work with multiple alert.id fields? The only way to insure that multiple alert.ids aren't applied to the same packet would be to have only one app rule use that metakey and have every other app rule use different unique metakeys, which does not seem sustainable or desirable. I have tried contains instead of is for the ESA matching condition, but it doesn't help.