Article Number
000029168
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI
RSA Version/Condition: 10.3.3
Platform: CentOS
Issue
When performing an exact match query against the
subject meta key (i.e. subject = 'conference') while performing Security Analytics investigations, sessions with false positives are returned. This can result in inaccurate alerts and reports.
In the example below, the query
subject = 'conference' was performed, however the returned results include sessions that merely include the word "conference" within the subject.
Image description
Cause
By default, the indexing level of the subject meta key is set to "IndexKeys" in the /etc/netwitness/ng/index-concentrator.xml file. As this is the case, the meta key is affected by a known defect defined by the internal tracking number SACE-1055 in which the query engine treats queries such as select session_id where subject = 'anything' as if they were select session_id where subject exists instead.
Resolution
In order to permanently resolve the issue, one of the action plans below must be performed.
Workaround
As an alternative workaround for the issue, an entry similar to the example below can be added to the index-concentrator-custom.xml file of the affected concentrator(s) to change the indexing level from "IndexKeys" to "IndexValues" for the
subject meta key.
<?xml version="1.0" encoding="utf-8"?>
<language level="IndexNone" defaultAction="Auto">
<key description="Subject" level="IndexValues" name="subject" format="Text" valueMax="100000"/>
</language>
However, as the concentrator(s) would still be affected by the known defect mentioned above, this is not the recommended course of action.