Dear Team,
CheckPoint IPS doesn't show up Destination IP address field in raw logs or syslogs, But source IP is visible.
(IPS logs do not contain destination IP field) So, I am writing a rule to guess few IPS destination IP addresses info from a IOC/Feed log (as a source), in a pattern with IPS log for time-being.
I am getting below error on the rule save page, Please check and help.
Syntax error in module. Incorrect syntax near 'exists' (a reserved keyword) at line 9 column 8, please check the filter specification within the from clause [@RSAAlert(oneInSeconds=0)
SELECT * FROM Event(
(medium IN ( 32 )
AND device_type IN ( 'checkpointfw1' )
AND ip_src IS NOT NULL
AND ip_dst IN ('xx1.xx2.xx3.xx4')
AND isOneOfIgnoreCase(action,{ 'accept' })
AND ( 'TS-Inbound' = ANY( alert_custom ) )
AND ioc exists
AND threat_source exists
OR
(isOneOfIgnoreCase(event.type,{ 'ips' }))
).win:time(150 Seconds)
MATCH_RECOGNIZE (
PARTITION BY ip_src
MEASURES E1 as e1_data , E2 as e2_data
PATTERN (E1 E2)
DEFINE
E1 as (E1.medium IN ( 32 ) AND E1.device_type IN ( 'checkpointfw1' ) AND E1.ip_src IS NOT NULL AND E1.ip_dst IS ('xx1.xx2.xx3.xx4') AND isOneOfIgnoreCase(E1.action,{ 'accept' }) AND ( 'TS-Inbound' = ANY( E1.alert_custom ) ) AND E1.ioc exists AND E1.threat.source exists),
E2 as (isOneOfIgnoreCase(event.type,{ 'ips' }))
)]
