Skip to content
  • There are no suggestions because the search field is empty.

How to remove a duplicate Meta key used for alerts in RSA Security Analytics?

Issue

Duplicate meta keys (one in lower case and the other with upper case) listed under Meta Key References are used in ESA rules causing the alert not to fire.

Dashboard > Alerts > Settings tab > Meta Key References:

User-added

How can you remove any of the Meta Key References?

Workaround

Open mongo shell (mongo sa) and run this command:
 
db.metaType.findOne({name:' <name_of_duplicate_meta_key_reference>'})

Where = the name of the duplicate meta key reference you would like to remove (the one with upper case).

If it returns data, then you can remove it from MongoDB by running this command:
 
db.metaType.remove({name:'<name_of_duplicate_meta_key_reference>'})


Notes

Note: If any ESA rule is using the duplicate meta key reference after it has been removed ESA will fail to synchronize or deploy any rules. Please modify the rule to use the correct meta key.

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: SA Event Stream Analysis
RSA Version/Condition: 10.5.2.0, 10.6.0, 10.6.1, 10.6.1.1

Approval Reviewer Queue

ASOC Approval Group