Skip to main content

Some context here: I'm writing a detection rule to monitor the network connections and check if any of them match with IOCs. The thing is that I want this rule to trigger if:

  1. Is IOC and found any allowed network connections, OR
  2. Is IOC and found more than 2 blocked network connections

What's the best approach here? I've tried to create 3 variables (misp, allow, block) with 2 placeholders (allowed, blocked) like this:  $allow.security_result.action = $allowed. With that, I built the condition like this: $ioc and (#allowed > 0 or #blocked > 2).

I'm aware such conditions exist for like 1 IOC and 5 blocks in the time range but the rule doesn't trigger. Is there's another approach, like checking the security_result.action under the outcome section using any function? Any thoughts?

Hi @lopes,

The below are two ways to tackle this (I believe, however I've not tested it, but it should work) - ensure you change the reference list that stores an IOC, and add any extra conditional logic such as certain LogTypes to tackle, if the IP is getting stored in an alternative UDM field etc.

 

rule IOC_Matching_rule {

meta:
author = "Ayman C"

events:
$ioc.principal.ip = $IP // Declare variable 'principal.ip' -> $IP
$ioc.metadata.product_event_type = "NETWORK_CONNECTION" // Network connection related logs

$IP in %ip_ioc_search // List of IOCs in a referencel ist
match:
$IP over 5m // Aggregate events based on the IP over a 5 minute match window

outcome:

$SuccessfulTrigger = count(if(any $ioc.security_result.action = "ALLOW", 1, 0)) // Count "ALLOW" outcome, and append 1 to each count
$FailTrigger = count(if(any $ioc.security_result.action = "BLOCK", 1, 0)) // Count "BLOCK" outcome, and append 1 to each count

condition:
$ioc and ($SuccessfulTrigger >= 1 OR $FailTrigger >= 2) // If $IOC matches, and "ALLOW" count is greater than or equal to 1. Or if $IOC matches, and "BLOCK" count is greater than or equal to 2.
}

 

rule IOC_Matching_rule_With_Entity {

meta:
author = "Ayman C"

events:
$ioc.principal.ip = $IP // Declare variable 'principal.ip' -> $IP
$ioc.metadata.product_event_type = "NETWORK_CONNECTION" // Network connection related logs

$entity_graph.graph.entity.artifact.ip = $IP
$entity_graph.graph.metadata.entity_type = "IP_ADDRESS"
$entity_graph.graph.metadata.source_type = "ENTITY_CONTEXT"

match:
$IP over 5m // Aggregate events based on the IP over a 5 minute match window

outcome:

$SuccessfulTrigger = count(if(any $ioc.security_result.action = "ALLOW", 1, 0)) // Count "ALLOW" outcome, and append 1 to each count
$FailTrigger = count(if(any $ioc.security_result.action = "BLOCK", 1, 0)) // Count "BLOCK" outcome, and append 1 to each count

condition:
$ioc and $entity_graph and ($SuccessfulTrigger >= 1 OR $FailTrigger >= 2) // If $IOC and $entity_graph matches, and "ALLOW" count is greater than or equal to 1. Or if $IOC and $entity_graph matches, and "BLOCK" count is greater than or equal to 2.
}


Kind Regards,

Ayman c

@AymanC you nailed it! I was missing the count>if>any combo.

Worked like a charm, thanks!
Have a great one!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.