Question

Yara L help

Forum|Forum|1 year ago
October 25, 2024
3 replies
38 views

+10

rahul7514
Bronze 2

I am trying to build the below YARA L rule

and i am seeing the same IP triggering after every couple of hours , how can i suppress them to avoid duplicate ticket creation .

events:           
        $e.metadata.event_type = "NETWORK_CONNECTION" 
        $e.metadata.vendor_name = "Check Point"
        $e.security_result.action != "BLOCK"
        (
            $e.target.ip != "" 
            and $e.target.ip != "0.0.0.0"
            and $e.target.ip in cidr %cidr_rfc_1918 
            and $dip = $e.target.ip
        ) and 
            ($e.principal.ip != "" 
            and $e.principal.ip != "0.0.0.0"
            and not $e.principal.ip in cidr %cidr_rfc_1918 
            and $sip = $e.principal.ip) 
        
        $sip in %IOC_IP 
               
 match: 

        $sip over 60m

+12

AbdElHafez
Staff
Forum|Forum|1 year ago
October 25, 2024

You could add a reference list as an exclusion placeholder in this rule, like ;

$sip not in %detectedIp

and either update this reference list manually or use an API call to do so.

Like

+22

jstoner
Staff
Forum|Forum|1 year ago
November 25, 2024

Not sure where your ticket is being created but in SecOps, there is an alert grouping function for case management that allows like alerts to be grouped into the same case with a max hours and alerts option. The idea here is that clearly the events are still being seen but we could roll that same alert into a case that someone is still working. If you are using a different ticketing system, perhaps they have similar logic or it could be added to assess. Otherwise, if you intend to keep the rule the way it is, an exclusion list may be the alternative.

Like

+3

Aj_Detection
Bronze 1
Forum|Forum|28 days ago
November 17, 2025

@rahul7514

Did you got the rule syntax for suppressing it ? Am also looking for the same.

I saw the comments above but those are not involving something in the rule logic level for suppression. They are suggesting about suppressing in the case level and exclusion list which is not our intention to do.

Thanks

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded