This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

"Join conditions must match" in ESA Rule condition

MassimilianoCre
New Contributor
New Contributor

‎2020-11-17 06:15 AM

Hello community,

I am new to using the RSA NetWitness product.

I started reading the ESA Rule documentation to try create a custom correlation but I have problems.

(Version Product 11.4.0.0)

I create a ContextHub List containing malicious hash (SHA256).

I add the CH list in ESA Rule tab --> Settings --> Enrichment Souces

After this I created a rule with this condition:

2.jpg

but when i try to save i get this :

3.jpg

Then I don't understand why I can't remove the first condition

4.jpg

 

where am i wrong?
Can someone help me.

Max

1 REPLY 1

SolayappanAdaik
Contributor
Contributor

‎2021-01-22 06:51 PM

Hello Massimiliano Crescenzi, 
Looks like when mapping String[] to a Context Hub list in Basic Rule Builder, we see an exception. Its should be fixed in the next release. For the time being you should be able to accomplish the same from an advanced rule builder by using @UsesEnrichment(name='<ContexthubList>')

Please check https://community.rsa.com/docs/DOC-85972#Use for additional information

 

Example EPL Syntax for whitelists:

/* A whitelist ("known good") is a list of event meta value to exempt from alerts. */

 

@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
@UsesEnrichment(name="User_Whitelist")
SELECT * FROM
Event (

medium = 32
AND ec_activity = 'Logon'
AND ec_outcome = 'Success'
AND logon_type IN ('2','10','11','12')
AND NOT EXISTS (SELECT * FROM User_Whitelist WHERE (LIST = Event.user_dst.toLowerCase())));

© 2022 RSA Security LLC or its affiliates. All rights reserved.