rule critical_ioc_detected_ip {
meta:
author = "Anurag Singh"
description = "Rule to check for any traffic coming from suspicious IPs related to known IOCs."
events:
$e.metadata.vendor_name = "Check Point" or $e.metadata.vendor_name = "Fortinet"
$e.metadata.product_name = "VPN-1 & FireWall-1" or $e.metadata.product_name = "Fortigate"
$e.metadata.event_type = "NETWORK_CONNECTION" or ($e.metadata.event_type = "NETWORK_HTTP")
$e.principal.ip = $sourceip and $e.target.ip = $destinationip
$kasperskyti.principal.ip[0] = $sourceip or $kasperskyti.principal.ip[0] = $destinationip
$kasperskyti.metadata.vendor_name = "IOC" and $kasperskyti.metadata.product_name = "IP"
$ioc = $kasperskyti.metadata.product_event_type
match:
$sourceip over 10m
condition:
$e and $kasperskyti
}
So I have written this rule to check if there is connection with known IOCs.
But I am facing an error which says
So I have written this rule to check if there is connection with known IOCs.
But I am facing an error which says
validating intermediate representation: event variables are not all joined by equalities, the joined groups are: (e), (kasperskyti)
Can someone help me out in this.
