ESA rule is disabled after being deployed to the ESA service in RSA Security Analytics

Issue

An ESA rule is disabled after being deployed to the ESA service and reports the error below.

The ESA log level WARN contains the following message:

Cause

Within the ESA service the hunting and investigation meta keys were changed from a  string type to a  multi-valued type.

The following meta keys are affected:

• ioc
• eoc
• boc
• analysis.service
• analysis.session
• analysis.file

Resolution

Version 10.6.2.1 and Above

To deploy custom ESA rules using these meta keys the rules must be updated to use array syntax and redeployed.  For example:
   

Version 10.6.2 and Below

To deploy RSA Live ESA rules using these keys the meta keys must be added to the ESA service using the multi-valued type.
In addition, any custom ESA rules using these meta keys must be updated to use array syntax.

The steps below explain how to add the meta keys to the ESA service with the multi-valued type.

1. In the RSA Security Analytics UI, navigate to Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames.
    
   
    
2. In the ArrayFieldNames property, enter the meta keys separated by commas.  Be sure to use underscores for multi-word meta keys.
   
    
    
3. Restart the ESA service.
   
    
    
4. Update custom ESA rules using these meta keys to change them from string syntax to array syntax.  For example:
    
   • Column 1: String Syntax
   • Column 2: Array Syntax

   
   

   • Column 1: ioc = 'homograph detected'
   • Column 2: 'homograph detected' = ANY(ioc)

   
   
5. Redeploy each updated ESA rule.

Product Details

RSA Product Set: Security Analytics, NetWitness Logs and Packets
RSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.3, 10.4, 10.5, 10.6
Platform: CentOS
O/S Version: EL6

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue