Skip to main content

Yara-L join issue

  • March 26, 2025
  • 3 replies
  • 66 views
M
Forum|alt.badge.img+1

Hello , I am getting the following error : "validating intermediate representation: event variables are not all joined by equalities, the joined groups are: (e) , (ioc) " which doesn't surprise me . What could be an alternative ?

Thanks for your help!

Here is my rule :

 

rule Sekoia_OpenCTI_IoC_hashes { meta: author = "MSM" description = "8:00 AM local time" severity = "Medium" events: $e.metadata.event_type = "PROCESS_LAUNCH" $e.principal.hostname = $host ( $ioc.graph.entity.namespace = "SEKOIA" or $ioc.graph.entity.namespace = "OPENCTI" ) $ioc.graph.metadata.entity_type = "FILE" $ioc.graph.entity.resource.attribute.labels["revoked"] = "false" ( $ioc.graph.metadata.threat.risk_score > 50 or $ioc.graph.metadata.threat.confidence_score > 50 ) $ioc.graph.entity.file.sha256 = $sha256 $ioc.graph.entity.file.sha1 = $sha1 $ioc.graph.entity.file.md5 = $md5 ( (not $e.target.process.file.sha256 = "" and $e.target.process.file.sha256 = $sha256) or (not $e.target.process.file.sha1 = "" and $e.target.process.file.sha1 = $sha1) or (not $e.target.process.file.md5 = "" and $e.target.process.file.md5 = $md5) ) match: $host over 15m condition: $ioc and $e }

 

 

3 replies

James_E
Staff
Forum|alt.badge.img+8
  • James_E
  • Staff
  • March 26, 2025

@msalif  can you try the rule below? I think the compiler is not able to join the entity graph and the event together based on your rule.

 

rule Sekoia_OpenCTI_IoC_hashes { meta: author = "MSM" description = "8:00 AM local time" severity = "Medium" events: $e.metadata.event_type = "PROCESS_LAUNCH" $e.principal.hostname = $host ( $ioc.graph.entity.namespace = "SEKOIA" or $ioc.graph.entity.namespace = "OPENCTI" ) $ioc.graph.metadata.entity_type = "FILE" $ioc.graph.entity.resource.attribute.labels["revoked"] = "false" ( $ioc.graph.metadata.threat.risk_score > 50 or $ioc.graph.metadata.threat.confidence_score > 50 ) $e.target.process.file.sha256 != "" $e.target.process.file.sha1 != "" $e.target.process.file.md5 != "" $ioc.graph.entity.file.sha256 = $e.target.process.file.sha256 $ioc.graph.entity.file.sha1 = $e.target.process.file.sha1 $ioc.graph.entity.file.md5 = $e.target.process.file.md5 match: $host over 15m condition: $ioc and $e }

 

M
Forum|alt.badge.img+1
  • msalif
  • Author
  • New Member
  • March 26, 2025

@msalif  can you try the rule below? I think the compiler is not able to join the entity graph and the event together based on your rule.

 

rule Sekoia_OpenCTI_IoC_hashes { meta: author = "MSM" description = "8:00 AM local time" severity = "Medium" events: $e.metadata.event_type = "PROCESS_LAUNCH" $e.principal.hostname = $host ( $ioc.graph.entity.namespace = "SEKOIA" or $ioc.graph.entity.namespace = "OPENCTI" ) $ioc.graph.metadata.entity_type = "FILE" $ioc.graph.entity.resource.attribute.labels["revoked"] = "false" ( $ioc.graph.metadata.threat.risk_score > 50 or $ioc.graph.metadata.threat.confidence_score > 50 ) $e.target.process.file.sha256 != "" $e.target.process.file.sha1 != "" $e.target.process.file.md5 != "" $ioc.graph.entity.file.sha256 = $e.target.process.file.sha256 $ioc.graph.entity.file.sha1 = $e.target.process.file.sha1 $ioc.graph.entity.file.md5 = $e.target.process.file.md5 match: $host over 15m condition: $ioc and $e }

 


Hello @James_E ,

Thanks for your reply but the code you proposed doesn't really match my need . With it , the 3 types of hash must exist in the events (because of the implicit "AND") otherwise I won't have a detection.

Regards,

jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • March 27, 2025

Here is an example of the sha256 standalone. You don't need the does not equal null because you are joining on that value. Because of the 1:1 join to the entity graph, you can't do the kind of join you are proposing.

I put another example in that will require a bit of testing but could also work which uses the strings.coalesce function.  Coalesce will process until it finds a non-null value so it would hit the sha256, then sha1, then md5 in the example for both udm and entity graph and then compare the two. The caveat is that it may be possible that you have sha256 for UDM but just MD5 for the entity graph which then would not match, so some thought and data analysis is needed to determine if this is a reasonable path forward or creates too much of a chance to miss something.

We may have some additional capabilities that are coming later in the year to accommodate this in a single rule, but at the moment, the best method would be to have one rule for each of the hash joins.

 

rule Sekoia_OpenCTI_IoC_hashes {

meta:
 author = "MSM"
 description = "8:00 AM local time"
 severity = "Medium"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.target.process.file.sha256 = $sha256
$e.principal.hostname = $host
(
$ioc.graph.entity.namespace = "SEKOIA" or
$ioc.graph.entity.namespace = "OPENCTI"
)
$ioc.graph.metadata.entity_type = "FILE"
$ioc.graph.entity.resource.attribute.labels["revoked"] = "false"
(
$ioc.graph.metadata.threat.risk_score > 50 or
$ioc.graph.metadata.threat.confidence_score > 50
)
$ioc.graph.entity.file.sha256 = $sha256

match:
$host over 15m

condition:
$ioc and $e
}

 

rule Sekoia_OpenCTI_IoC_hashes {

meta:
 author = "MSM"
 description = "8:00 AM local time"
 severity = "Medium"

events:
$e.metadata.event_type = "PROCESS_LAUNCH"
strings.coalesce($e.target.process.file.sha256, $e.target.process.file.sha1, $e.target.process.file.md5) = $hash
$e.principal.hostname = $host
(
$ioc.graph.entity.namespace = "SEKOIA" or
$ioc.graph.entity.namespace = "OPENCTI"
)
$ioc.graph.metadata.entity_type = "FILE"
$ioc.graph.entity.resource.attribute.labels["revoked"] = "false"
(
$ioc.graph.metadata.threat.risk_score > 50 or
$ioc.graph.metadata.threat.confidence_score > 50
)
strings.coalesce($ioc.graph.entity.file.sha256, $ioc.graph.entity.file.sha1, $ioc.graph.entity.file.md5) = $hash

match:
$host over 15m

condition:
$ioc and $e
}
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.