Skip to main content

I am trying to build the below YARA L rule 

and i am seeing the same IP triggering after every couple of hours , how can i suppress them to avoid duplicate ticket creation .

 

events:
$e.metadata.event_type = "NETWORK_CONNECTION"
$e.metadata.vendor_name = "Check Point"
$e.security_result.action != "BLOCK"
(
$e.target.ip != ""
and $e.target.ip != "0.0.0.0"
and $e.target.ip in cidr %cidr_rfc_1918
and $dip = $e.target.ip
) and
($e.principal.ip != ""
and $e.principal.ip != "0.0.0.0"
and not $e.principal.ip in cidr %cidr_rfc_1918
and $sip = $e.principal.ip)

$sip in %IOC_IP

match:

$sip over 60m

 

You could add a reference list as an exclusion placeholder in this rule, like ;


$sip not in %detectedIp

and either update this reference list manually or use an API call to do so. 


 

Not sure where your ticket is being created but in SecOps, there is an alert grouping function for case management that allows like alerts to be grouped into the same case with a max hours and alerts option. The idea here is that clearly the events are still being seen but we could roll that same alert into a case that someone is still working. If you are using a different ticketing system, perhaps they have similar logic or it could be added to assess. Otherwise, if you intend to keep the rule the way it is, an exclusion list may be the alternative.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.