AnsweredAssumed Answered

Any ESA experts willing to lend a hand?

Question asked by skdixon1 on Jul 7, 2015
Latest reply on Sep 24, 2016 by Sal Sanshez

I'm a bit perplexed on this one. The last time recently I ran across this same error, I figured a way around by taking out the value to which I was trying to have in the rule. But....

 

I've constructed a scenario I want to create a rule against and I'm unsure how to do as such:

 

SELECT * FROM

Event(

medium = 32

AND

threat_source = <insert threat source value here>

AND

traffic_direction = <Internal to external>

AND

                 action = 'tcp_hit'

  );

 

Syntax passes with flying colors!


I go to sync the rule and it starts off out of the gate disabled (discovered recently there are two tollgates to getting a rule deployed).

 

The error message states as such:

 

Esper deployment of module "<Keith's first super awesome advanced rule>" (id=559c3ce3f2803e7bd95fd4ba) failed. Reason: Deployment failed in module 'Module_1999090174_Alert' in module url '559c3ce3f2803e7bd95fd4ba' in expression '@RSAAlert(oneInSeconds=0, identifiers={"user_dst"}...(221 chars)' : Implicit conversion from datatype 'String' to 'String[]' is not allowed [@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})

 

SELECT * FROM

Event(

medium = 32

AND

threat_source = <insert threat source value here>

AND

traffic_direction = <Internal to external>

AND

                 action = 'tcp_hit'

)]


Previous attempt on such a rule, I had to go to the Settings --> Meta key reference and find which one was the 'String[]'


Unfortunately, for the scenario I am trying to make a rule for, the action meta is vital (and of course, it's the action meta that's the 'String[]')


Any help and/or guidance would be greatly appreciated.

Outcomes