ESA - Match on Multiple Occurrences of a Single Meta-Key?

Question asked by Drew Contractor on Jun 22, 2018
Latest reply on Jun 25, 2018 by Nick Mikhal



I want to build an ESA alert that will trigger on any single event where multiple instances of the error meta-key are present in the event metadata.


As an example,    =    "investigation"
analysis.file    =    
error    =    
error    =    
error    =    


I've already tried numerous approaches but nothing seems to work. Also, I found it interesting to note that the error meta-key is of type string and not a string array.


Any suggestions would be welcomed and appreciated. Thanks in advance.