Hello,
Here is a short description of the case I want to detect :
- IBM offers X-Force to evaluate IPs and URL against threat intelligence.
- I use both rules for detecting malicious IP or malicious URL
- However, malicious IP rule can fire if this IP used as shared hosting, and have bad reputation due to one malicious website hosted, while my user is browsing on a safe one.
The logic I want is to ignore X-Force Risky IP rule, if an event containing an URL with same destination IP is received within 3 minutes, because the X-Force URL rule is more appropriate.
For example, for a single user connection, I have the following sequence of checkpoint, fortinet, L4 & L7 events (malicious IP but safe URL) :
- event with ip
- event with ip + url
- event with ip
- event with ip + url
- event with ip
I created 2 building blocks :
- One for tagging event having malicious IP and no URL
- One for tagging event having malicious IP and URL
And a rule like this, to fire an offense if a risky IP is detected, but not followed by an event containing an URL :
Apply Risky IP not followed by URL on events which are detected by the Local system
and when none of BB: X-Force Risky IP with URL match in 3 minutes after BB: Risky IP without URL match with the same Destination IP
It works great in my previous sequence, except for the last event (5), because it is not followed by an event containing an URL, but PRECEDED by this type of event.
However I cannot find any rule logic to not fire my offense if my event is PRECEDED by ......
Can a rule king can propose me a way to do achieve that ?
Thank you