Skip to main content

Log StreamLog Stream Guide

Table of Contents

Expressions for Enrichment Mapping

The charts below describe the functional expressions that can be used to configure rule conditions and field mapping when defining custom enrichment rules. The following categories of expressions are available below:

General Expressions

These expressions perform general operations such as mathematical calculations or basic data evaluation.

Expression

Description

Inputs

Example / Result

add(x1, ..., xn

Returns the sum of numerical arguments.

x = any number

Example:

add(bytes_in, bytes_out)

Result:

Returns the sum of the bytes_in and bytes_out values.

ceil(x)

Returns the lowest integer value that is greater than or equal to the argument x.

x = a number

Example:

ceil(version)

Result:

For a version field with a value of 1.09, a value of 2 is returned.

divide(x, y)

or

div(x,y)

Returns a value of x divided by y.

x = a number

y = a number

Example:

divide(base_risk_score, 2)

Result:

Returns the value of the base_risk_score field divided in half.

first(e1, ..., en)

Returns the value of the first expression that evaluates that is non-empty or non-zero.

e = an expression

Example:

first(src_host, src_ip)

Result:

Returns the value of either the src_host or src_ip, whichever is found first and is not null.

floor(x)

Returns the greatest integer value that is less than or equal to the argument, x.

x = a number

Example:

floor(version)

Result:

For a version field with a value of 1.09, a valuee of 1 is returned.

format(formatspec, v1, ...)

Formats arguments according to a specified format string.

formatspec = a format specifier

v1 ... = arguments to be formatted

Example:

format('%.2f', 2.34567)

Result:

Returns 2.35

hexToInt(s)

Converts a hexidecimal number to an integer.

s = a hex number string

Both "fff" and "0xfff" formats are supported.

Example:

hexToInts(4D2)

Result:

Returns a value of 1234.

inList(x, v1, v2, v3...)

Confirms that the value of argument x matches any of the values in the specified list.

x = a number

v1, v2, v3 = values in the specified list

Example:

InList(activity, 'login', 'authentication')

Result:

Returns a value of true if the activity field matches any of the listed values.

max(x1, ..., xn)

Returns the maximum of arguments as numbers

x = a number

Example:

max(base_risk_score, 3)

Result:

Returns whichever is the larger value, the base_risk_score or 3.

min(x1, ..., xn)

Returns the minimum of arguments as numbers.

x = a number

Example:

min(base_risk_score, 3)

Result:

Returns whichever is the smaller value, the base_risk_score or 3.

multiply(x1, ..., xn)

or

mul(x1, ..., xn)

Returns a value that is the product of multiplying all the arguments listed.

x = a number

Example:

multiply(base_risk_score, 0.5)

Result:

Returns a value that is half of the base_risk_score.

power(x,y)

or

pow(x,y)

Returns a value of x to the power of y.

x = a number

y = a power

Example:

power(base_risk_score, 2)

Result:

Returns a value that is twice the value of the base_risk_score.

returnIf(vbool, vtrue, vfalse)

If the boolean value vbool is true, returns vtrue, otherwise returns vfalse.

vbool = the Boolean expression to be evaluated

vtrue = value to return if true

vfalse = value to return if false

Example:

returnIf(exists(alert_name), alert_name, alert_type)

Result:

If the alert_name value is not null, the alert_name value is returned, otherwise the value of the alert_type is returned.

round(x)

Return the value of the argument, x rounded to the nearest integer.

x = a number

Example:

round(eventVersion)

Result:

Returns the value of the event version, rounded to the nearest integer.

subtract(x,y)

Returns the value of x - y.

x = a number

y = a number

Example:

subtract(base_risk_score, 3)

Result:

Returns the value of the base_risk_score minus 3.

toBoolean(expr)

Returns the specified expression as a Boolean value.

expr = an expression

toBoolean(c_is_valid_ip)

If the custom field, c_is_valid_ip, is a string type field, this expressions allows it to act as a Boolean test to return a value of true or false.

toNumber(expr)

Returns the specified expression as a numerical value.

expr = an expression

Example:

toNumber(bytes_in)

Results:

Returns the value of the bytes_in field as a numerical value.

toString(expr)

Returns the specified expression as a string value.

expr = an expression

Example:

toString(service_name)

Result:

Converts the value of the service_name field to a string value.

String Expressions

These expressions can be used to manipulate or evaluate string data.

Expression

Description

Inputs

Example / Result

beginsWith(s, prefix)

or

startsWith(s,prefix)

Returns a string value if it begins with the specified prefix.

s = a string

prefix = the specified prefix (case sensitive)

Example:

beginsWith(vendor, 'Exa')

Result:

Returns the value of the vendor field if it is prefixed by 'Exa'.

beginsWithAny(s, v1, v2, v3, ...)

or

startsWithAny(s, v1, v2, v3, ...)

Returns a string value if it begins with any of the specified prefixes.

s = a string

v1, v2, v3 = the specified prefixes (case sensitive)

Example:

beginsWithAny(vendor, 'Exa', 'Log')

Result:

Returns the value of the vendor field if it starts with either 'Exa' or 'Log'.

chopAfter(s, pattern, n)

Returns the value from a string, up to n number of occurrences of the pattern, and drops all characters including and after that occurrence.

s = a string

pattern = a pattern delimiter

n = a number of occurrences

Example:

chopAfter(host, '.', 1)

Result:

For a host field with a value or 192.168.100.1, a value of 192 is returned, without any of the other characters.

chopBefore(s, pattern, n)

Returns the value from a string, after n number of occurrences of the pattern, and drops all characters including and before that occurrence.

s = a string

pattern = a pattern delimiter

n = a number of occurrences

Example:

chopBefore(email_address, '@', 1)

Result:

In an email field with a value of [email protected], a value of company.com is returned, without any of the characters before or including the @ symbol.

concat(v1, v2, v3...)

Concatenates any number of specified values, treated as strings.

v1, v2, v3 = values treated as strings

Example:

concat(user, '@', domain)

Result:

Returns a value in the pattern of user@domain.

contains(s, s1)

Confirms that string s contains substring s1.

s = a string

s1 = a substring

Example:

contains(toLower(vendor), 'exabeam')

Result:

Returns a value of true if the vendor field contains the substring 'exabeam'.

containsAny(s, s1, ..., sn)

Confirms that string s contains any of the specified substrings.

s = a string

s1 - sn = specified substrings

Example:

containsAny(vendor, 'microsoft', 'amazon')

Result:

Returns a value of true if the vendor field contains either 'microsoft' or 'amazon'.

drop(s, n)

Returns a value with the first n number of characters dropped from the value of string s.

s = a string

n = number of characters

Example:

drops(vendor, 3)

Result:

Returns the value of the vendor field after dropping the first three characters. For the vendor 'Exabeam', a value of 'beam' would be returned.

dropright(s, n)

Returns a value with the last n number of characters dropped from the value of string s.

s = a string

n = number of characters

Example:

dropright(vendor, 4)

Result:

Returns the value of the vendor field after dropping the last four characters. For the vendor 'Exabeam', a value of 'Exa' would be returned.

endsWith(s, suffix)

Returns the value of string s if it ends with the specified suffix.

s = a string

suffix = the specified suffix

Example:

endsWith(host, '0.0.1')

Result:

Returns the value of the host field if it ends with '0.0.1'.

endsWithAny(s, v1, v2, v3...)

Returns the value of string s if it ends with any of the specified suffixes.

s = a string

v1, v2, v3 = the specified suffixes (case sensitive)

Example:

endsWithAny(toLower(email_address), '@exabeam.com', '.exabeam.com')

Result:

Returns the value of the email_address field if it ends with either of the specified suffixes.

indexOf(s, p)

Returns the index position of the first occurrence of pattern delimiter, p in string, s. If the pattern is not present, no value is returned.

s = string

p = pattern delimiter

Example:

indexOf(src_ip, '.')

Result:

For a src_ip field with a value of 192.168.100.1, a value of 3 is returned, which is the position of the first occurrence of the pattern delimiter.

lastIndexOf(s, p)

Returns the position of the last occurrence of pattern delimiter, p in string s. If the pattern is not present, no value is returned.

s = a string

p = the pattern delimiter

Example:

lastIndexOf(src_ip, '.')

Result:

For a src_ip field with a value of 192.168.100.1, a value of 10 is returned, which is the position of the last occurrence of the pattern delimiter.

lcp(s1, s2, ...)

or

LeastCommonPrefix(s1, s2, ...)

Returns the smallest common prefix of a list of specified strings. This function is case-sensitive.

s1, s2, ... = a specified list of strings

Example:

lcp('Exabeam', 'Exameter')

Result:

Returns the prefix Exa which appears in each of the listed strings.

lcs(s1, s2, ...)

or

LeastCommonSuffix(s1, s2, ...)

Returns the smallest common suffix of a list of specified strings. This function is case-sensitive.

s1, s2, ... = a specified list of strings

Example:

lcs('Exabeam', 'Jim Beam')

Result:

Returns the suffix eam which is the smallest, case-sensitive, suffix that appears in each of the listed strings.

length(s)

Returns the legnth of string s, if the length of the value is a non-zero number.

s = a string

Example:

length(user)

Result:

Returns the length of the value in the user field, as long as the field is not empty (the length of its value is a non-zero number).

replace(s,t,r)

In string s, replace each substring that matches t, and is interpreted as a literal string, with r.

s = a string

t = a substring

r = a replacement substring

Example:

replace(email, '@domain.com', '@internal.local')

Result:

Replaces the substring '@domain.com' with '@internal.local' in an email field.

replaceAll(s,t,r)

In string s, replace each substring that matches t, and is interpreted as a regular expression, with r.

s = a string

t = a substring

r = a replacement substring

Example:

replaceAll(email_subject, 're:', ' ')

Result:

Removes all the instances of substring 're:' from the string in an email_subject field.

replaceFirst(s,t,r)

In string s, replace the first substring that matches t, and is interpreted as a regular expression, with r.

s = a string

t = a substring

r = a replacement substring

Example:

replaceFirst(email_subject, 're:', ' ')

Result:

Removes the first instance of substring 're:' from the string in an email_subject field.

slice(s, from, until)

Returns a substring value from string s, starting at index, from, and continuing up to but not including index, until.

s = a string

from = the starting index

until = the ending index

Example:

slice(domain, 4, lastindexof(domain, '.'))

Result:

Returns the portion of the domain field that starts at the fourth character and ends before the final '.' of the domain value.

startsWith(s, prefix)

See beginsWith

startsWithAny(s, v1, v2, v3 ...)

See beginsWithAny

stripPrefix(s, prefix)

Returns the value of string s, after removing the specified prefix.

s = a string

prefix = the prefix to remove

Example:

stripPrefix(awsRegion, 'us')

Result:

Returns the value of the AWS Region field without the specified prefix.

stripSuffix(s, suffix)

Returns the value of string s without the specified suffix.

s = a string

suffix = the suffix to remove

Example:

stripSuffix(awsRegion, 1)

Result:

Returns the value of the AWS Region field without the specified suffix.

take(s,n)

Return only the first n number of characters from string s.

s = a string

n = a number of characters

Example:

take(eventID, 8)

Result:

Returns the first 8 characters from the event ID string.

takeright(s,n)

Return only the last n number of characters from string, s.

s = a string

n = a number of characters

Example:

takeright(eventID, 4)

Result:

Returns the last 4 characters of the event ID string.

toLower(s)

Return an all lowercase representation of string s.

s = a string

Example:

toLower(vendor)

Result:

Returns the value of the vendor string in all lower case letters.

toUpper(s)

Extract an all uppercase representation of string, s.

s = a string

Example:

toUpper(vendor)

Result:

Returns the value of the vendor string in all upper case letters.

trim(s)

Extract a version of the string with any leading or trailing whitespace removed.

s = a string

Example:

trim(email_subject)

Result:

Returns a stripped version of the value in the email_subject field, without any leading or trailing white spaces.

Boolean and Conditional Expressions

These expressions can be used to perform logical operations and evaluate conditions.

Expression

Description

Inputs

Example / Result

and(e1, ..., en)

Returns a value when all of the included Boolean expressions evaluate to true.

e = a Boolean expression

Example:

and(contains(toLower(vendor), 'exabeam'), endsWith(host, '0.0.1'))

Result:

A value of true is returned if both of the following expressions are true:

  • The value of the vendor field contains 'exabeam'

  • The value of the host field ends with '0.0.1'

exists(v1, v2, v3...)

Confirms that none of the specified string values are null.

v1, v2, v3 = the specified string values

Example:

exists(dest_email_address, src_email_address)

Result:

Returns a value of true if both of the specified fields are not null.

if(expr, if-true, if-false)

Returns one value if the expression evaluates to true and another value if it evaluates to false.

expr = an expression to evaluate

if-true = the value to return for true

if-false = the value to return for false

Example:

if(isSiteLocal(src_ip), first(src_host, src_ip), null)

Result:

If the src_ip is a local site address, the value of either the src_host or src_ip is returned, whichever occurs first. If the src_ip is not a local site address, a null value is returned.

in(expr, v1, ...)

Confirms whether the expressions is found in any of the specified list of values.

expr = an expression to evaluate

v1, v2, v3 = list of values

Example:

in(version, 1.09, 1.10, 1.11)

Result:

Returns a value of true if the version field is found in the specified list of values.

not(expr)

Returns the value of a field if it does not match the specified expression.

expr = the specified expression

Example:

not(contains(toLower(vendor), 'exabeam')

Result:

Returns a negation of the specified expression.

or(e1, ..., en)

Returns a value when any of the included Boolean expressions evaluate to true.

e = a Boolean expression

Example:

or(contains(toLower(vendor), 'exabeam'), endsWith(host, '0.0.1')

Result:

A value of true is returned if either of the following expressions are true:

  • The value of the vendor field contains 'exabeam'

  • The value of the host field ends with '0.0.1'

IP and Network Expressions

These expressions are specific to IP address evaluation.

Expression

Description

Inputs

Example / Result

isIP(s)

Confirms that a string, s, is an IPv4 or IPv6 address.

s = a string

Example:

isIP(src_host)

Result:

Returns a value of true if the source host field is an IPv4 or IPv6 address.

isIPv4(s)

Confirms that a string, s, is an IPv4 address.

s = a string

Example:

isIPv4(src_host)

Result:

Returns a value of true if the source host field field is an IPv4 address.

isIPv6(s)

Confirms that a string, s, is an IPv6 address.

s = a string

Example:

isIPv6(src_host)

Result:

Returns a value of true if the source host field is an IPv6 address.

isAnyLocal(s)

or

isAnyLocalAddress(s)

Confirms that a string, s, is an any local address:

0.0.0.0 or ::0

s = a string

Example:

isAnyLocal(src_host)

Result:

Returns a value of true if the source host field is a local address.

isLinkLocal(s)

or

isLinkLocalAddress(s)

Confirms that a string, s, is a link local address:

169.254.1.0 - 169.254.255.255, fe80::, etc.

s = a string

Example:

isLinkLocal(src_host)

Result:

Returns a value of true if the source host field is a link local address.

isLoopback(s)

or

isLoopBackAddress(s)

Confirms that a string, s, is a loopback address:

127.0.0.0 - 127.255.255.255, ::1, etc.

s = a string

Example:

isLoopback(src_host)

Result:

Returns a value of true if the source host field is a loopback address.

isMulticast(s)

or

isMulticastAddress(s)

Confirms that a string, s, is a multicast address:

224.0.0.0 - 239.255.255.255

s = a string

Example:

isMulticast(src_host)

Result:

Returns a value of true if the source host field is a multicast address.

isSiteLocal(s)

or

isSiteLocalAddress(s)

Confirms that a string, s, is a site local address:

10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255, etc.

s = a string

Example:

isSiteLocal(src_host)

Result:

Returns a value of true if the source host field is a site local address.

Context Expressions

These expressions are specific to contextual data or operations.

Expression

Description

Inputs

Example / Result

GetContextAttribute(T, K, A)

Returns the value of an attribute column A from whichever row matches K in the key column of context table T.

T = context table name

K = value in a row of the key column

A = an attribute column in the context table

Example:

GetContextAttribute('CrowdStrike Devices', aid, 'hostname')

Result:

Looks in the key column of the CrowdStrike Devices context table for the row that matches the value of the 'aid' event field. Returns the hostname from that row.

HasContextKey(T, K)

Confirms whether a context table T exists and contains a specific value in the key column K.

T = context table name

K = the value of the key column

Example:

HasContextKey('CrowdStrike Devices', aid)

Result:

Returns a value of true or false depending on whether any row in the key column in the CrowdStrike Devices context table contains a value of 'aid'.