"Join conditions must match" in ESA Rule condition
I am new to using the RSA NetWitness product.
I started reading the ESA Rule documentation to try create a custom correlation but I have problems.
(Version Product 22.214.171.124)
I create a ContextHub List containing malicious hash (SHA256).
I add the CH list in ESA Rule tab --> Settings --> Enrichment Souces
After this I created a rule with this condition:
but when i try to save i get this :
Then I don't understand why I can't remove the first condition
where am i wrong?
Can someone help me.
- Community Thread
- ESA Rules
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
- rule condition
Hello Massimiliano Crescenzi,
Looks like when mapping String to a Context Hub list in Basic Rule Builder, we see an exception. Its should be fixed in the next release. For the time being you should be able to accomplish the same from an advanced rule builder by using @UsesEnrichment(name='<ContexthubList>')
Please check https://community.rsa.com/docs/DOC-85972#Use for additional information
Example EPL Syntax for whitelists:
/* A whitelist ("known good") is a list of event meta value to exempt from alerts. */
SELECT * FROM
medium = 32
AND ec_activity = 'Logon'
AND ec_outcome = 'Success'
AND logon_type IN ('2','10','11','12')
AND NOT EXISTS (SELECT * FROM User_Whitelist WHERE (LIST = Event.user_dst.toLowerCase())));