AnsweredAssumed Answered

"Join conditions must match" in ESA Rule condition

Question asked by Massimiliano Crescenzi on Nov 17, 2020

Hello community,

I am new to using the RSA NetWitness product.

I started reading the ESA Rule documentation to try create a custom correlation but I have problems.

(Version Product 11.4.0.0)

I create a ContextHub List containing malicious hash (SHA256).

I add the CH list in ESA Rule tab --> Settings --> Enrichment Souces

After this I created a rule with this condition:

Condition

but when i try to save i get this :

Then I don't understand why I can't remove the first condition

 

where am i wrong?
Can someone help me.

Max

Outcomes