First a suggestion, whatever you have adding data to alert.id, change it to a new key. alert.id is an internally used meta-key that is used generate additional meta from matches by RSA parsers, feeds and application rules. The alertids_info, alertids_suspicious, and alertids_warning feeds are used to take values added to alert.id and create meta in risk.info, risk.suspicious, risk.warning, threat.source, and threat.category. It is not intended for general alerting use.
If you have identification feeds that are tagging your data, add your own key to put this data into.
Now, for your issue with ESA, the reason you are not getting a hit, is if a metakey had multiple values, it has to be defined as an array in ESA and then called in a different way to get a match.
alert_id is not set as an array, since it is never supposed to be used in ESA, only on the decoder.
To define a key as an array:
Administration -> Services -> <ESA host> -View -> Explore
Expand Workflow -> Source, and click on "nextgenAggregationSource"
add the key to the ArrayFieldNames entry (comma separated)
Restart ESA service
to match an array variable in your example:
( 'non-pci' != ANY( alert_id ) )
