.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
Newly created Incident Management (IM) aggregation rules for ESA alerts are processing old alerts.For instance, if an aggregation rule is created today, alerts in Incident Management Alerts Or SecOps Incidents contain alerts going as far back as a couple of months.
Cause
By default, aggregation rules will look up all the alerts in the alert database.
Resolution
In the aggregation rule, there is an option to select alerts based on "Date Created".Add a condition for "Date Created" that is greater than or equal to the date desired in the aggregation rule itself.
Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: Incident Management, Event Stream Analysis (ESA), Security Analytics UI
RSA Version/Condition: 10.5.x
Platform: CentOS
O/S Version: EL6
Approval Reviewer Queue
ASOC Approval Group