Skip to content
  • There are no suggestions because the search field is empty.

ESA rule in RSA Security Analytics is not triggering an alert for the changed content of in-memory table(CSV) enrichment used in the rule

Issue

Create a basic rule using ESA BRB and add whitelist Ips to it as in-memory table enrichment.Replay the logs and verify the alerts raised.
Edit the in-memory table enrichment and delete one of the whitelist IPs.Replay the same log file and verify that the number of alerts got increased.

Cause

Part A: Create an In-Memory table enrichment
  1. Navigate to alerts->Configure->Settings
  2. Click on Enrichment Sources and add a new In-Memory table enrichment by importing a sample csv file containing the following
    ip_src string
    1.1.1.1
    3.3.3.3

Part B. Create a Basic Rule that uses the above created enrichment source

1. Navigate to alerts->Configure
2. Create a rule and use the enrichment source. E.g: You might want to create a rule to monitor fail login attempts

Part C. Log injection with current enrichment source
1. Replay the attached log file on the log decoder that would contains these IP address as well as other IPs. E.g: You might want to create a sample log file recording fail login attempts from a list source IP. Then modify some of those logs so that in include the whitelisted IP.

2. Record the number of alerts generated

Part D. Modify enrichment source and re-do log injection
1. Edit the In-Memory table enrichment by upload the updated Csv filethat contains only ip.src -1.1.1.1
2. Replay the attached log file again on the log decoder. 

Result:
In part D, as some of the whitelisted IP being removed from CSV, it should trigger more alerts. However, we found that the actual number the same. That means, in the memory, we are still having the original whitelisted IP list 

We have even tried deleted the in-memory table enrichment from the rule and added it back and redeployed the rule on ESA service.
Even in this cases the actual alerts were 8.


Resolution

This is a known issue recorded in ASOC-16396. There is no workaround at this stage

Internal Comments

Archiving because this was fixed in 10.6.1.1+ as per https://nw-corp.atlassian.net/browse/ASOC-16396


Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: All Nodes
NetWitness Version/Condition: 12.x
Platform: CentOS/Alma

Summary

ESA rule is not triggering an alert for the changed content of in-memory table(CSV) enrichment used in the rule


Approval Reviewer Queue

Technical approval queue