I'm in a situation ESA hasn't to fire if the Meta Key has "defined"
value even if it has mulitple values in the same event log.
Unfortunately I can't modify custom device mapping now. Example:alert_id
= scanneralert_id = non-pci I have an condition i...
Is there anyone tried to create aggregation rules in ESA?..I want to
group by any Meta Key but not limiting with counts since I don't want to
miss single event.The issue is sometime I'm getting flooded by email
notifications for the particular alert,...
Thanks John for the response!!I just gave alert_id meta key as an
example, I'm using custom meta keys for my own mappings.I have defined
those meta keys as an Array now, let you know the results once I
validated. Thanks Again!!
I had same issue when I upgraded SA from V10.5.2 to V10.6.1. You can
upgrade using one zip file only for SA head unit & after that you have
to download other upgrade files (7 zip files which is for V10.6 to
V10.6.1) to continue the upgrade for other ...
Hi Lee,Sorry if I wasn't clear on my questions. I don't want to suppress
any alerts, my concern is only about the alert notification. I thought
"OUTPUT LAST/FIRST" commands would control the notification.I don't want
to see a delay between event time...
Hi Lee, This is really helpful & works. Based on the threshold, the
alert notification would be delayed for 15 mins(as per our example), Is
there a way I can avoid that too?.. I tried with OUTPUT FIRST command
@RSAAlert but it's not working as expect...