I'm in a situation ESA hasn't to fire if the Meta Key has "defined" value even if it has mulitple values in the same event log. Unfortunately I can't modify custom device mapping now.
alert_id = scanner
alert_id = non-pci
I have an condition in the alert configured to fire if the alert_id is not "non-pci". The alert is firing since first alert_id isn't "non-pci" value but however there is an "non-pci" value present in that meta key further down but ESA isn't taking that into the value. Is there any way I can force ESA to look that Meta Key value till the end & shouldn't if any one of the value matches?.