AnsweredAssumed Answered

Multiple values for same metakey ?

Question asked by jees francis on Nov 23, 2017
Latest reply on Dec 8, 2017 by jees francis

Like • Show 1 Like1
Comment • 4

I happened to create a custom-feed for metakey value threat_source. I used this custom feed in a EPL rule. But problem is in some cases threat_source have two values i.e lets say IP address 10.10.1.1 is belongs to threat_source 'rsafirst-watch' as well it belongs threat_source 'custom-feed'. This is causing problem in triggering alert. So if there are two values for a single metakey will RSA ignore one of them ( in this case RSA is not considering threat_source as 'customfeed') ?

1 person has this question

Outcomes

4 Replies

roberto fasciani Nov 24, 2017 6:05 AM
Mark Correct
Correct Answer
Hello Jees,
You should convert the Meta threat_source into array type and You should use custom functions for the multi-valued

RSA NetWitness Event Stream Analysis (ESA) Rules
1 person found this helpful
Like • Show 0 Likes0
Actions
- jees francis @ roberto fasciani on Dec 5, 2017 11:34 PM
  Mark Correct
  Correct Answer
  Hello Roberto,
  
  Very Helpful. Thanks!
  Like • Show 0 Likes0
  Actions
Utsav Sejpal Nov 24, 2017 7:45 AM
Mark Correct
Correct Answer
Hi Team,

We are using defaul parser trendmicrodsa (updated from live) but observing multiple values for single meta (alias.host).

Any help to fix this would be appreciated.

Thanks
Utsav Sejpal
Like • Show 0 Likes0
Actions
- jees francis @ Utsav Sejpal on Dec 8, 2017 3:28 AM
  Mark Correct
  Correct Answer
  Hi All,
  
  If i create a custom metakey in 'index-logdecoder-custom.xml' and restart the service, will it cause any issues to the existing metakeys ?
  Like • Show 0 Likes0
  Actions

Multiple values for same metakey ?

Outcomes

Related Content

Recommended Content