Skip to main content

Hello , I am getting the following error : "validating intermediate representation: event variables are not all joined by equalities, the joined groups are: (e) , (ioc) " which doesn't surprise me . What could be an alternative ?

Thanks for your help!

Here is my rule :

 

rule Sekoia_OpenCTI_IoC_hashes {

meta:

author = "MSM"
description = "8:00 AM local time"
severity = "Medium"

events:
$e.metadata.event_type = "PROCESS_LAUNCH"

$e.principal.hostname = $host

(
$ioc.graph.entity.namespace = "SEKOIA" or
$ioc.graph.entity.namespace = "OPENCTI"
)
$ioc.graph.metadata.entity_type = "FILE"
$ioc.graph.entity.resource.attribute.labels["revoked"] = "false"
(
$ioc.graph.metadata.threat.risk_score > 50 or
$ioc.graph.metadata.threat.confidence_score > 50
)


$ioc.graph.entity.file.sha256 = $sha256
$ioc.graph.entity.file.sha1 = $sha1
$ioc.graph.entity.file.md5 = $md5

(
(not $e.target.process.file.sha256 = "" and
$e.target.process.file.sha256 = $sha256) or

(not $e.target.process.file.sha1 = "" and
$e.target.process.file.sha1 = $sha1) or

(not $e.target.process.file.md5 = "" and
$e.target.process.file.md5 = $md5)
)



match:
$host over 15m



condition:
$ioc and $e
}

 

 

@msalif  can you try the rule below? I think the compiler is not able to join the entity graph and the event together based on your rule.


 


rule Sekoia_OpenCTI_IoC_hashes {

meta:

author = "MSM"
description = "8:00 AM local time"
severity = "Medium"

events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.hostname = $host

(
$ioc.graph.entity.namespace = "SEKOIA" or
$ioc.graph.entity.namespace = "OPENCTI"
)
$ioc.graph.metadata.entity_type = "FILE"
$ioc.graph.entity.resource.attribute.labels["revoked"] = "false"
(
$ioc.graph.metadata.threat.risk_score > 50 or
$ioc.graph.metadata.threat.confidence_score > 50
)

$e.target.process.file.sha256 != ""
$e.target.process.file.sha1 != ""
$e.target.process.file.md5 != ""

$ioc.graph.entity.file.sha256 = $e.target.process.file.sha256
$ioc.graph.entity.file.sha1 = $e.target.process.file.sha1
$ioc.graph.entity.file.md5 = $e.target.process.file.md5

match:
$host over 15m

condition:
$ioc and $e
}

 

@msalif  can you try the rule below? I think the compiler is not able to join the entity graph and the event together based on your rule.


 


rule Sekoia_OpenCTI_IoC_hashes {

meta:

author = "MSM"
description = "8:00 AM local time"
severity = "Medium"

events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.hostname = $host

(
$ioc.graph.entity.namespace = "SEKOIA" or
$ioc.graph.entity.namespace = "OPENCTI"
)
$ioc.graph.metadata.entity_type = "FILE"
$ioc.graph.entity.resource.attribute.labels["revoked"] = "false"
(
$ioc.graph.metadata.threat.risk_score > 50 or
$ioc.graph.metadata.threat.confidence_score > 50
)

$e.target.process.file.sha256 != ""
$e.target.process.file.sha1 != ""
$e.target.process.file.md5 != ""

$ioc.graph.entity.file.sha256 = $e.target.process.file.sha256
$ioc.graph.entity.file.sha1 = $e.target.process.file.sha1
$ioc.graph.entity.file.md5 = $e.target.process.file.md5

match:
$host over 15m

condition:
$ioc and $e
}

 


Hello @James_E ,

Thanks for your reply but the code you proposed doesn't really match my need . With it , the 3 types of hash must exist in the events (because of the implicit "AND") otherwise I won't have a detection.

Regards,


Here is an example of the sha256 standalone. You don't need the does not equal null because you are joining on that value. Because of the 1:1 join to the entity graph, you can't do the kind of join you are proposing.


I put another example in that will require a bit of testing but could also work which uses the strings.coalesce function.  Coalesce will process until it finds a non-null value so it would hit the sha256, then sha1, then md5 in the example for both udm and entity graph and then compare the two. The caveat is that it may be possible that you have sha256 for UDM but just MD5 for the entity graph which then would not match, so some thought and data analysis is needed to determine if this is a reasonable path forward or creates too much of a chance to miss something.


We may have some additional capabilities that are coming later in the year to accommodate this in a single rule, but at the moment, the best method would be to have one rule for each of the hash joins.


 


rule Sekoia_OpenCTI_IoC_hashes {

meta:
 author = "MSM"
 description = "8:00 AM local time"
 severity = "Medium"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.target.process.file.sha256 = $sha256
$e.principal.hostname = $host
(
$ioc.graph.entity.namespace = "SEKOIA" or
$ioc.graph.entity.namespace = "OPENCTI"
)
$ioc.graph.metadata.entity_type = "FILE"
$ioc.graph.entity.resource.attribute.labels["revoked"] = "false"
(
$ioc.graph.metadata.threat.risk_score > 50 or
$ioc.graph.metadata.threat.confidence_score > 50
)
$ioc.graph.entity.file.sha256 = $sha256

match:
$host over 15m

condition:
$ioc and $e
}

 



rule Sekoia_OpenCTI_IoC_hashes {

meta:
 author = "MSM"
 description = "8:00 AM local time"
 severity = "Medium"

events:
$e.metadata.event_type = "PROCESS_LAUNCH"
strings.coalesce($e.target.process.file.sha256, $e.target.process.file.sha1, $e.target.process.file.md5) = $hash
$e.principal.hostname = $host
(
$ioc.graph.entity.namespace = "SEKOIA" or
$ioc.graph.entity.namespace = "OPENCTI"
)
$ioc.graph.metadata.entity_type = "FILE"
$ioc.graph.entity.resource.attribute.labels["revoked"] = "false"
(
$ioc.graph.metadata.threat.risk_score > 50 or
$ioc.graph.metadata.threat.confidence_score > 50
)
strings.coalesce($ioc.graph.entity.file.sha256, $ioc.graph.entity.file.sha1, $ioc.graph.entity.file.md5) = $hash

match:
$host over 15m

condition:
$ioc and $e
}


Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.