I happened to create a custom-feed for metakey value threat_source. I used this custom feed in a EPL rule. But problem is in some cases threat_source have two values i.e lets say IP address 10.10.1.1 is belongs to threat_source 'rsafirst-watch' as well it belongs threat_source 'custom-feed'. This is causing problem in triggering alert. So if there are two values for a single metakey will RSA ignore one of them ( in this case RSA is not considering threat_source as 'customfeed') ?
Hello Jees,
You should convert the Meta threat_source into array type and You should use custom functions for the multi-valued
RSA NetWitness Event Stream Analysis (ESA) Rules