Data enrichment rule is deleted unexpectedly
search cancel

Data enrichment rule is deleted unexpectedly

book

Article ID: 260964

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

Data enrichment rules can be created with one or more indicators (or criteria).  It is possible that if an indicator is deleted and there were no other indicators assigned to that rule, the rule may also get deleted.

Environment

Release : 8.2.5-55424

Cause

When you delete an indicator, you may see the following dialog box:

Resolution

Always check if the rules are deleted after you delete any indicators.  You may have to recreate them if they are deleted.  This will be resolved in a future release of Security Analytics.

Additional Information

Messages you can search for in /var/log/messages:

INDICATOR DELETED:  

2023-02-15T00:06:00+05:30 hostname httpd[11265]: snlog: sn="##:##:##:##:##:##" id="DS" m="85" c="11" event="EVENT_FAVORITE_DELETED" category="FAVORITE" ip="192.168.1.5" model="DSPORT" msg="logmsg=\"model.sys_log::options.event.audit.deepsee_favorite_deleted\", user=\"cmc_proxy1_admin\", remote_ip=\"10.0.1.50\", name=\"java_user_agent\""

RULE DELETED:

2023-02-15T00:27:20+05:30 hostname httpd[21244]: snlog: sn="##:##:##:##:##:##" id="DS" m="88" c="12" event="EVENT_ACTION_DELETED" category="ACTION" ip="192.168.1.5" model="DSPORT" msg="logmsg=\"model.sys_log::options.event.audit.action_deleted, user=\"cmc_proxy1\", remote_ip=\"10.0.1.50\", action_name=\"java_user_agent_rule_1\""