2016-12-05 12:37 PM
I'm in a situation ESA hasn't to fire if the Meta Key has "defined" value even if it has mulitple values in the same event log. Unfortunately I can't modify custom device mapping now.
Example:
alert_id = scanner
alert_id = non-pci
I have an condition in the alert configured to fire if the alert_id is not "non-pci". The alert is firing since first alert_id isn't "non-pci" value but however there is an "non-pci" value present in that meta key further down but ESA isn't taking that into the value. Is there any way I can force ESA to look that Meta Key value till the end & shouldn't if any one of the value matches?.
2016-12-05 05:22 PM
First a suggestion, whatever you have adding data to alert.id, change it to a new key. alert.id is an internally used meta-key that is used generate additional meta from matches by RSA parsers, feeds and application rules. The alertids_info, alertids_suspicious, and alertids_warning feeds are used to take values added to alert.id and create meta in risk.info, risk.suspicious, risk.warning, threat.source, and threat.category. It is not intended for general alerting use.
If you have identification feeds that are tagging your data, add your own key to put this data into.
Now, for your issue with ESA, the reason you are not getting a hit, is if a metakey had multiple values, it has to be defined as an array in ESA and then called in a different way to get a match.
alert_id is not set as an array, since it is never supposed to be used in ESA, only on the decoder.
To define a key as an array:
Administration -> Services -> <ESA host> -View -> Explore
Expand Workflow -> Source, and click on "nextgenAggregationSource"
add the key to the ArrayFieldNames entry (comma separated)
Restart ESA service
to match an array variable in your example:
( 'non-pci' != ANY( alert_id ) )
2016-12-06 11:29 AM
Thanks John for the response!!
I just gave alert_id meta key as an example, I'm using custom meta keys for my own mappings.
I have defined those meta keys as an Array now, let you know the results once I validated. Thanks Again!!