AnsweredAssumed Answered

"Join conditions must match" in ESA Rule condition

Question asked by Massimiliano Crescenzi on Nov 17, 2020

Hello community,

I am new to using the RSA NetWitness product.

I started reading the ESA Rule documentation to try create a custom correlation but I have problems.

(Version Product

I create a ContextHub List containing malicious hash (SHA256).

I add the CH list in ESA Rule tab --> Settings --> Enrichment Souces

After this I created a rule with this condition:


but when i try to save i get this :

Then I don't understand why I can't remove the first condition


where am i wrong?
Can someone help me.