Yara L help

rahul7514 · 10-24-2024 10:33 PM

I am trying to build the below YARA L rule

and i am seeing the same IP triggering after every couple of hours , how can i suppress them to avoid duplicate ticket creation .

events:           
        $e.metadata.event_type = "NETWORK_CONNECTION" 
        $e.metadata.vendor_name = "Check Point"
        $e.security_result.action != "BLOCK"
        (
            $e.target.ip != "" 
            and $e.target.ip != "0.0.0.0"
            and $e.target.ip in cidr %cidr_rfc_1918 
            and $dip = $e.target.ip
        ) and 
            ($e.principal.ip != "" 
            and $e.principal.ip != "0.0.0.0"
            and not $e.principal.ip in cidr %cidr_rfc_1918 
            and $sip = $e.principal.ip) 
        
        $sip in %IOC_IP 
               
 match: 

        $sip over 60m

AbdElHafez

You could add a reference list as an exclusion placeholder in this rule, like ;

$sip not in %detectedIp

and either update this reference list manually or use an API call to do so.

jstoner

Not sure where your ticket is being created but in SecOps, there is an alert grouping function for case management that allows like alerts to be grouped into the same case with a max hours and alerts option. The idea here is that clearly the events are still being seen but we could roll that same alert into a case that someone is still working. If you are using a different ticketing system, perhaps they have similar logic or it could be added to assess. Otherwise, if you intend to keep the rule the way it is, an exclusion list may be the alternative.