AnsweredAssumed Answered

Question about ESA Alert Detection

Question asked by Ravi Krishnanandam on Dec 5, 2016
Latest reply on Dec 6, 2016 by Ravi Krishnanandam

I'm in a situation ESA hasn't to fire if the Meta Key has "defined" value even if it has mulitple values in the same event log. Unfortunately I can't modify custom device mapping now.

 

Example:

alert_id = scanner

alert_id = non-pci

 

I have an condition in the alert configured to fire if the alert_id is not "non-pci". The alert is firing since first alert_id  isn't "non-pci" value but however there is an "non-pci" value present in that meta key further down but ESA isn't taking that into the value. Is there any way I can force ESA to look that Meta Key value till the end & shouldn't if any one of the value matches?.

Outcomes