Skip to main content

Hello,

I get this error with my rule which is not surprising at all: 

validating intermediate representation: event variables are not all joined by equalities, the joined groups are: (ioc), (network)

 my rule:

rule IOC_In_Forti {

meta:
...
priority = "Critical"

events:
$network.principal.ip = $srcip
not net.ip_in_range_cidr($network.principal.ip, "10.0.0.0/24")
not net.ip_in_range_cidr($network.principal.ip, "172.16.0.0/12")
not net.ip_in_range_cidr($network.principal.ip, "192.168.0.0/16")
$network.security_result.action_details = "accept"
$network.metadata.log_type ="FORTINET_FIREWALL"
$network.target.hostname = $hostname
$srcip in %MaliciousIPs
or $srcip in %MaliciousIPs2
or $srcip in %MaliciousIPs3

$ioc.graph.metadata.product_name = "ALIENVAULT_OTX"
$ioc.graph.entity.ip = $srcip

match:
$hostname over 24h

condition:
$network and $ioc
}

 I want to match the srcip against a reference_list or against graph.entity.ip and if put an "OR" between them it will result in the previous error because of the condition section. Is there any way I can work around this without having to create seperate rules for each one of them?

At the moment, I think your best course of action is to have a rule for watchlist over 24 hours and a separate rule for the entity graph join to your third party intel (AlienVault). There is some ongoing work to add more flexibility into conditions and joins that may facilitate this later this year.

At the moment, I think your best course of action is to have a rule for watchlist over 24 hours and a separate rule for the entity graph join to your third party intel (AlienVault). There is some ongoing work to add more flexibility into conditions and joins that may facilitate this later this year.


Thank you, we would really like that and I'll be waiting for it.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.