Article Number
000035446
Applies To
RSA Product Set: Security Analytics, NetWitness Logs & Packets
RSA Product/Service Type: Log Decoder, Concentrator, Event Stream Analysis
RSA Version/Condition: 10.4, 10.5, 10.6
Issue
policy.name parses two different values and appears to conflict what values to use in creating rules.
Cause
policy.name has been brought over from
RSA enVision and has included both
policy.name and
signature.name under the same key on
index-table-map.xml.
<mapping envisionName="signame" nwName="policy.name" flags="None" envisionDisplayName="SignatureName"/>
<mapping envisionName="policyname" nwName="policy.name" flags="None" envisionDisplayName="PolicyName"/>
Workaround
To separate the confusion from
policy.name and
signature name you can add to
table-map-custom.xml on the log decoder and
index-concentrator-custom.xml on the concentrator.
On the log decoder in
table-map-custom.xml add:
<mapping envisionName="signame" nwName="sig.name" flags="None" envisionDisplayName="SignatureName"/>
On the concentrator in
index-concentrator-custom.xml add:
<key description="Sig Name" level="IndexValues" name="sig.name" format="Text" valueMax="10000" />
Notes
For more information on the creation of custom meta keys please refer to the
RSA Security Analytics documentation.
