Article Number
000032434
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Incident Management, Event Stream Analysis (ESA), Security Analytics UI
RSA Version/Condition: 10.5.x, 11.X
Platform: CentOS
O/S Version: EL6
RSA Product/Service Type: Incident Management, Event Stream Analysis (ESA), Security Analytics UI
RSA Version/Condition: 10.5.x, 11.X
Platform: CentOS
O/S Version: EL6
Issue
Newly created Incident Management (IM) aggregation rules for ESA alerts are processing old alerts.
For instance, if an aggregation rule is created today, alerts in Incident Management Alerts Or SecOps Incidents contain alerts going as far back as a couple of months.
For instance, if an aggregation rule is created today, alerts in Incident Management Alerts Or SecOps Incidents contain alerts going as far back as a couple of months.
Cause
By default, aggregation rules will look up all the alerts in the alert database.
Resolution
In the aggregation rule, there is an option to select alerts based on "Date Created".
Add a condition for "Date Created" that is greater than or equal to the date desired in the aggregation rule itself.
Image description
In 11.X version,
Image description
If Query Mode is Advanced for Incident rules, please use below syntax for Incident creation greater than the required date.
{"$and":[{"alert.source":"Event Stream Analysis"},{"alert.name":{"$in":["rule1", "rule2"]}},{"alert.timestamp":{"$gt":{"$date":"2021-12-30T12:00:30Z"}}}]}
Add a condition for "Date Created" that is greater than or equal to the date desired in the aggregation rule itself.
Image descriptionIn 11.X version,
Image descriptionIf Query Mode is Advanced for Incident rules, please use below syntax for Incident creation greater than the required date.
{"$and":[{"alert.source":"Event Stream Analysis"},{"alert.name":{"$in":["rule1", "rule2"]}},{"alert.timestamp":{"$gt":{"$date":"2021-12-30T12:00:30Z"}}}]}
In this article
