I'm a bit perplexed on this one. The last time recently I ran across this same error, I figured a way around by taking out the value to which I was trying to have in the rule. But....
I've constructed a scenario I want to create a rule against and I'm unsure how to do as such:
SELECT * FROM
Event(
medium = 32
AND
threat_source = <insert threat source value here>
AND
traffic_direction = <Internal to external>
AND
action = 'tcp_hit'
);
Syntax passes with flying colors!
I go to sync the rule and it starts off out of the gate disabled (discovered recently there are two tollgates to getting a rule deployed).
The error message states as such:
Esper deployment of module "<Keith's first super awesome advanced rule>" (id=559c3ce3f2803e7bd95fd4ba) failed. Reason: Deployment failed in module 'Module_1999090174_Alert' in module url '559c3ce3f2803e7bd95fd4ba' in expression '@RSAAlert(oneInSeconds=0, identifiers={"user_dst"}...(221 chars)' : Implicit conversion from datatype 'String' to 'String[]' is not allowed [@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
SELECT * FROM
Event(
medium = 32
AND
threat_source = <insert threat source value here>
AND
traffic_direction = <Internal to external>
AND
action = 'tcp_hit'
)]
Previous attempt on such a rule, I had to go to the Settings --> Meta key reference and find which one was the 'String[]'
Unfortunately, for the scenario I am trying to make a rule for, the action meta is vital (and of course, it's the action meta that's the 'String[]')
Any help and/or guidance would be greatly appreciated.
