NetWitness Community

MatthewMcCallum · ‎2016-10-17

I am having trouble creating ESA alerts that trigger when the alert.id metakey is populated by an app rule. The issue is that there are multiple app rules using the alert.id field and ESA alerts appear to only trigger on the first alert.id value (based on event view packets can have multiple alert.id values).

Is there a way to have ESA alerts work with multiple alert.id fields? The only way to insure that multiple alert.ids aren't applied to the same packet would be to have only one app rule use that metakey and have every other app rule use different unique metakeys, which does not seem sustainable or desirable. I have tried contains instead of is for the ESA matching condition, but it doesn't help.

JoeGumke · ‎2016-10-17

Hey Matt,

you would probably want to use an array value to ensure that all values are hit that are populating a key more than once.

You'll also want to ensure that your key that is setup is defined as array (string[]) shown here :

You can check here for details:

Step 2: Build a Rule Statement - RSA Security Analytics Documentation

JohnSnider · ‎2016-10-17

As a note, generally you should not use the "alert.id" meta key for generating alerts. Alert.id key is used by app rules, and parsers to tag a single value into the key (ex. nw12345) that then triggers the alert.id.feeds (alert.warning, alert.suspicious, alert.info) to use that nwxxxx name to create multiple meta values in other keys (risk.warning, risk.suspicious, risk.info, threat.source, threat.category. It is not meant to be a general "alert" key, that is what the actual "alert" metakey is for.

To use any metakey that has multiple values in a single session, that key needs to be configured as an "array". If you look in Alerts -> Configure -> settings tab, the Meta keys the the [] next to them are defined to be arrays. if you want to make a key an array variable, you can change them by going to Administration -> Services -> <ESA SErver>-View -> Explore and expand Workflow -> Source -> nextgenAggregationSource -> ArrayFieldNames this is a comma separated list of ESA meta keys that are arrays (in ESA format so "alias.host" is "alias_host" in the list.

Syntax is different for arrays variables.

Non-Array:

alert_id = 'nw12345'

Array:

'nw12345' = ANY ( alert_id )

If at all possible, use the "result" of the alert.id feed to create your alert from the risk.info, risk.suspicious, or risk.warning keys.

MatthewMcCallum · ‎2016-10-19

The alert metakey on on our implementation was configured as a string. I attempted to make the changes John specified to configure it as an array so that I could use it for alerting purposes, but it doesn't appear to work.

I made the change described:

But the change is not reflected on the Metakey references page:

This results in me having the same issue using the alert metakey, namely that the first alert that tags the packet is the only alert ESA rules can detect.

MatthewMcCallum · ‎2016-10-19

This reply was actually meant for John... I clicked the wrong reply button

MatthewMcCallum · ‎2016-10-20

Do you need to restart the ESA service after changing a metakey from a string to an array? As I mentioned in another post, I made the change you suggested, but it doesn't seem to have done anything, as the metakey references page still indicates that the metakey is a string.

NetWitness Community

Multiple app rules using the same metakey