Any ETPRO signature has the potential of being moved to the free ET Open ruleset. This can happen, for example, if a user submits a signatures which has original coverage for an ETPRO signature. In cases like that the signature content will stay consistent but the SID will change to reflect the acceptable SID ranges.
Because some ET customers may alert/triage based on SID rather than Message, we’ve recently taken steps to aid continuity of operations in these cases by introducing new metadata fields.
- Upon release:
- The new Open rule will be populated with ‘former_sid’ for its previous ETPRO SID.
- The disabled PRO rule will be populated with ‘new_sid’ for its new ET Open SID.