Skip to main content

Hello,

I’m trying to create a rule that detects alerts from Check Point firewall, but excludes alerts related to authorized pentest activities.

For this, I created a data table named authorized_scanners with the following columns:

  • activity_name

  • source_ip

  • destination_ip

  • start_date

  • end_date

I want the rule to reference this table, but I’m running into the following error:

"validating intermediate representation: event variables are not all joined by equalities, the joined groups are: (authorized_scanners), (e)"

 

Could someone help me resolve this?

 

Here is my rule 

rule checkpoint_fw_medium_alert
{
    meta:
		...
        priority = "Medium"      

    events:   
        $e.metadata.vendor_name = "CheckPoint" nocase
		$e.security_result.severity > "MEDIUM"
		$alert_name = $e.security_result.description
        $targeted_host = $e.target.ip
        $attacker_host = $e.principal.ip

		$date = timestamp.get_date($e.metadata.event_timestamp.seconds)

        //Exclude authorized activities
        and not 
        (
            ($e.principal.ip = %authorized_scanners.source_ip and $e.target.ip = %authorized_scanners.destination_ip) and 
            ($date >= %authorized_scanners.start_date or $date <= %authorized_scanners.end_date)
        )

    match:
    $attacker_host over 10m

    condition:
        $e and $alert_name

}

 

The root cause of that error is that you don’t have an equality to anchor the events to the data table. That NOT on line 18 isn’t a join at that point.

 

There needs to be at least one common value between the UDM event from the firewall and the data table.

You also don’t need the placeholder variable $alert_name in the condition section based on what you shared.

 

 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.