This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Multiple values for same metakey ?

jeesfrancis
Beginner
Beginner

‎2017-11-23 11:44 PM

I happened to create a custom-feed for metakey value threat_source. I used this custom feed in a EPL rule. But problem is in some cases threat_source have two values i.e lets say IP address 10.10.1.1 is belongs to threat_source 'rsafirst-watch' as well it belongs threat_source 'custom-feed'. This is causing problem in triggering alert. So if there are two values for a single metakey will RSA ignore one of them ( in this case RSA is not considering threat_source as 'customfeed') ?

 

pastedImage_1.png

4 REPLIES 4

robertofasciani
Beginner
Beginner

‎2017-11-24 06:05 AM

Hello Jees,

You should convert the Meta threat_source into array type and You should use custom functions for the multi-valued

 

RSA NetWitness Event Stream Analysis (ESA) Rules 

UtsavSejpal
Beginner
Beginner

‎2017-11-24 07:40 AM

Hi Team,

 

We are using defaul parser trendmicrodsa (updated from live) but observing multiple values for single meta (alias.host).

 

Any help to fix this would be appreciated. 

 

pastedImage_2.png

 

 

 

Thanks

Utsav Sejpal

0 Likes

jeesfrancis
Beginner
Beginner
In response to robertofasciani

‎2017-12-05 11:34 PM

Hello Roberto,

 

Very Helpful. Thanks!

0 Likes

jeesfrancis
Beginner
Beginner
In response to UtsavSejpal

‎2017-12-08 03:28 AM

Hi All,

 

If i create a custom metakey in 'index-logdecoder-custom.xml' and restart the service, will it cause any issues to the existing metakeys ? 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.