support soc

Advanced EPL Error

Discussion created by support soc on Nov 26, 2020
Latest reply on Nov 30, 2020 by Josh Randall

Dear Team,

 

CheckPoint IPS doesn't show up Destination IP address field in raw logs or syslogs, But source IP is visible.

(IPS logs do not contain destination IP field) So, I am writing a rule to guess few IPS destination IP addresses info from a IOC/Feed log (as a source), in a pattern with IPS log for time-being.

 

I am getting below error on the rule save page, Please check and help.

 

Syntax error in module. Incorrect syntax near 'exists' (a reserved keyword) at line 9 column 8, please check the filter specification within the from clause [@RSAAlert(oneInSeconds=0)
SELECT * FROM Event(
(medium IN ( 32 )
AND device_type IN ( 'checkpointfw1' )
AND ip_src IS NOT NULL
AND ip_dst IN ('xx1.xx2.xx3.xx4')
AND isOneOfIgnoreCase(action,{ 'accept' })
AND ( 'TS-Inbound' = ANY( alert_custom ) )
AND ioc exists
AND threat_source exists
OR
(isOneOfIgnoreCase(event.type,{ 'ips' }))
).win:time(150 Seconds)
MATCH_RECOGNIZE (
PARTITION BY ip_src
MEASURES E1 as e1_data , E2 as e2_data
PATTERN (E1 E2)
DEFINE
E1 as (E1.medium IN ( 32 ) AND E1.device_type IN ( 'checkpointfw1' ) AND E1.ip_src IS NOT NULL AND E1.ip_dst IS ('xx1.xx2.xx3.xx4') AND isOneOfIgnoreCase(E1.action,{ 'accept' }) AND ( 'TS-Inbound' = ANY( E1.alert_custom ) ) AND E1.ioc exists AND E1.threat.source exists),
E2 as (isOneOfIgnoreCase(event.type,{ 'ips' }))
)]

Outcomes