Expressions for Parser Field Extractions and Enrichment Mapping

The charts below describe the functional expressions that can be used to configure rule conditions in Log Stream. There are two situations in Log Stream where configuring these conditions is necessary:

Parser Field Extraction – During parser creation in Log Stream, when defining how a parser should extract value from a raw log, you can use the expressions below to build conditions that describe which fields to extract value from. Because parsers are operating on raw logs, these expressions cannot reference the common information model (CIM) fields directly. Instead, for extraction conditions, the expressions must be written using JSON xpath syntax. For example: add($.eventVersion,1)
Enrichment Rules – When building custom enrichment rules on the Enrichments tab in Log Stream, you can use the expressions below to build conditions that will map field data from raw logs to Exabeam common information model (CIM) fields. Because enrichment rules operate on event data, the expressions can reference the CIM field names directly, with no special syntax. For example: add(bytes_in, bytes_out)

Important

The examples below reference CIM fields directly. Remember that if you're using these conditions to build expressions for field extractions when defining a parser, you must use the JSON xpath syntax and preface field names with $. characters.

General Expressions

These expressions perform general operations such as mathematical calculations or basic data evaluation.

Expression	Description	Inputs	Example / Result
`add(x1, ..., xn)`	Returns the sum of numerical arguments.	`x` = any number	Example: `add(bytes_in, bytes_out)` Result: Returns the sum of the `bytes_in` and `bytes_out` values.
`ceil(x)`	Returns the lowest integer value that is greater than or equal to the argument `x`.	`x` = a number	Example: `ceil(version)` Result: For a `version` field with a value of `1.09`, a value of `2` is returned.
`div(x,y)`	Returns a value of `x` divided by `y`. An alternate form of `divide(x, y)`	`x` = a number `y` = a number	Example: `div(base_risk_score, 2)` Result: Returns the value of the `base_risk_score` field divided in half.
`divide(x, y)`	Returns a value of `x` divided by `y`. An alternate form of `div(x, y)`	`x` = a number `y` = a number	Example: `divide(base_risk_score, 2)` Result: Returns the value of the `base_risk_score` field divided in half.
`first(e1, ..., en)`	Returns the value of the first expression that evaluates to non-empty and non-zero.	`e1, ..., en` = a set of expressions	Example: `first(src_ip, dest_ip)` Result: Returns the value of either the `src_ip` or `dest_ip`, whichever first evaluates to be non-empty and non-zero.
`floor(x)`	Returns the greatest integer value that is less than or equal to the argument, `x`.	`x` = a number	Example: `floor(version)` Result: For a `version` field with a value of `1.09`, a value of `1` is returned.
`format(formatspec, v1, ...)`	Formats arguments according to a specified format string.	`formatspec` = a format specifier `v1 ...` = arguments to be formatted	Example: `format('%.2f', 2.34567)` Result: Returns `2.35`.
`hexToInt(s)`	Converts a hexidecimal number to an integer.	`s` = a hex number string Both "`fff`" and "`0xfff`" formats are supported.	Example: `hexToInts(4D2)` Result: Returns a value of `1234`.
`inList(x, v1, v2, v3...)`	Confirms that the value of argument `x` matches any of the values in the specified list.	`x` = an argument `v1, v2, v3` = values in the specified list	Example: `InList(activity, 'login', 'authentication')` Result: Returns a value of `true` if the `activity` field matches any of the listed values.
`max(x1, ..., xn)`	Returns the maximum of arguments as numbers	`x` = an argument	Example: `max(base_risk_score, 3)` Result: Returns whichever is the larger value, the `base_risk_score` or `3`.
`min(x1, ..., xn)`	Returns the minimum of arguments as numbers.	x = an argument	Example: `min(base_risk_score, 3)` Result: Returns whichever is the smaller value, the `base_risk_score` or `3`.
`mul(x1, ..., xn)`	Returns a value that is the product of multiplying all the arguments listed. An alternate form of `multiply(x1, ..., xn)`.	`x` = an argument	Example: `mul(base_risk_score, 0.5)` Result: Returns a value that is half of the `base_risk_score`.
`multiply(x1, ..., xn)`	Returns a value that is the product of multiplying all the arguments listed. An alternate form of `mul(x1, ..., xn)`	`x` = an argument	Example: `multiply(base_risk_score, 0.5)` Result: Returns a value that is half of the `base_risk_score`.
`pow(x,y)`	Returns a value of `x` to the power of `y`. An alternate form of `power(x,y)`.	`x` = a number `y` = a power	Example: `pow(base_risk_score, 2)` Result: Returns a value that is twice the value of the `base_risk_score`.
`power(x,y)`	Returns a value of `x` to the power of `y`. An alternate form of `pow(x,y)`.	`x` = a number `y` = a power	Example: `power(base_risk_score, 2)` `power(base_risk_score, 2)` Returns a value that is twice the value of the `base_risk_score`.
`returnIf(vbool, vtrue, vfalse)`	If the Boolean expression `vbool` is true, returns `vtrue`, otherwise returns `vfalse`.	`vbool` = the Boolean expression to be evaluated `vtrue` = value to return if true `vfalse` = value to return if false	Example: `returnIf(exists(alert_name), alert_name, alert_type)` Result: If the `alert_name` value is not null, the `alert_name` value is returned, otherwise the value of the `alert_type` is returned.
`round(x)`	Return the value of the argument, `x` rounded to the nearest integer.	`x` = a number	Example: `round(eventVersion)` Result: Returns the value of the `event version`, rounded to the nearest integer.
`subtract(x,y)`	Returns the value of `x - y`.	`x` = a number `y` = a number	Example: `subtract(base_risk_score, 3)` Result: Returns the value of the `base_risk_score` minus `3`.
`toBoolean(expr)`	A cast operation that converts the specified expression to a Boolean value.	`expr` = an expression	`toBoolean(c_is_valid_ip)` Converts the value of the `c_is_valid_ip` field to a Boolean expression that can return a value of `true` or `false`.
`toNumber(expr)`	A cast operation that converts the specified expression to a numerical value.	`expr` = an expression	Example: `toNumber(bytes_in)` Results: Converts the value of the `bytes_in` field to a numerical value.
`toString(expr)`	A cast operation that converts the specified expression to a string value.	`expr` = an expression	Example: `toString(service_name)` Result: Converts the value of the `service_name` field to a string value.

String Expressions

These expressions can be used to manipulate or evaluate string data.

Expression	Description	Inputs	Example / Result
`beginsWith(s, prefix)`	Confirms whether a string value begins with the specified prefix. An alternate form of `startwWith(s,prefix)`.	`s` = a string `prefix` = the specified prefix (case sensitive)	Example: `beginsWith(vendor, 'Exa')` Result: Returns a value of `true` if the `vendor` field begins with '`Exa`'.
`beginsWithAny(s, v1, v2, v3, ...)`	Confirms whether a string value begins with any of the specified prefixes. An alternate for of starts `WithAny(s, v1, v2, v3, ...)`.	`s = a string` `v1, v2, v3` = the specified prefixes (case sensitive)	Example: `beginsWithAny(vendor, 'Exa', 'Log')` Result: Returns a value of `true` if the the `vendor` field begins with either '`Exa`' or '`Log`'.
`chopAfter(s, pattern, n)`	Returns the value from a string, up to `n` number of occurrences of the pattern, and drops all characters including and after that occurrence.	`s` = a string `pattern` = a pattern delimiter `n` = a number of occurrences	Example: `chopAfter(host, '.', 1)` Result: For a host field with a value or `192.168.100.1`, a value of `192` is returned, without any of the other characters.
`chopBefore(s, pattern, n)`	Returns the value from a string, after `n` number of occurrences of the pattern, and drops all characters including and before that occurrence.	`s` = a string `pattern` = a pattern delimiter `n` = a number of occurrences	Example: `chopBefore(email_address, '@', 1)` Result: In an email field with a value of `[email protected]`, a value of `company.com` is returned, without any of the characters before or including the `@` symbol.
`concat(v1, v2, v3...)`	Concatenates any number of specified values, treated as strings.	`v1`, `v2`, `v3` = values treated as strings	Example: `concat(user, '@', domain)` Result: Returns a value in the pattern of `user@domain`.
`contains(s, s1)`	Confirms whether string `s` contains substring `s1`.	`s` = a string `s1` = a substring	Example: `contains(toLower(vendor), 'exabeam')` Result: Returns a value of `true` if the `vendor` field contains the substring '`exabeam`'.
`containsAny(s, s1, ..., sn)`	Confirms whether string `s` contains any of the specified substrings.	`s` = a string `s1` - `sn` = specified substrings	Example: `containsAny(vendor, 'microsoft', 'amazon')` Result: Returns a value of `true` if the `vendor` field contains either '`microsoft`' or '`amazon`'.
`drop(s, n)`	Returns a value with the first `n` number of characters dropped from the value of string `s`.	`s` = a string `n` = number of characters	Example: `drops(vendor, 3)` Result: Returns the value of the `vendor` field after dropping the first three characters. For the vendor '`Exabeam`', a value of '`beam`' would be returned.
`dropright(s, n)`	Returns a value with the last `n` number of characters dropped from the value of string `s`.	`s` = a string `n` = number of characters	Example: `dropright(vendor, 4)` Result: Returns the value of the `vendor` field after dropping the last four characters. For the vendor '`Exabeam`', a value of '`Exa`' would be returned.
`endsWith(s, suffix)`	Confirms whether the value of string `s` ends with the specified suffix.	`s` = a string `suffix` = the specified suffix	Example: `endsWith(host, '0.0.1')` Result: Returns a value of `true` if the `host` field ends with '`0.0.1`'.
`endsWithAny(s, v1, v2, v3...)`	Confirms whether the value of string `s` ends with any of the specified suffixes.	`s` = a string `v1`, `v2`, `v3` = the specified suffixes (case sensitive)	Example: `endsWithAny(toLower(email_address), '@exabeam.com', '.exabeam.com')` Result: Returns a value of `true` if the `email_address` field ends with either of the specified suffixes.
`indexOf(s, p)`	Returns the `index` position of the first occurrence of pattern delimiter, `p` in string, `s`. If the pattern is not present, no value is returned.	`s` = string `p` = pattern delimiter	Example: `indexOf(src_ip, '.')` Result: For a `src_ip` field with a value of `192.168.100.1`, a value of `3` is returned, which is the position of the first occurrence of the pattern delimiter '`.`'.
`lastIndexOf(s, p)`	Returns the position of the last occurrence of pattern delimiter, `p` in string `s`. If the pattern is not present, no value is returned.	`s` = a string `p` = the pattern delimiter	Example: `lastIndexOf(src_ip, '.')` Result: For a `src_ip` field with a value of `192.168.100.1`, a value of `10` is returned, which is the position of the last occurrence of the pattern delimiter '`.`'.
`lcp(s1, s2, ...)`	Returns the smallest common prefix of a list of specified strings. This function is case-sensitive. An alternate form of `LeastCommonPrefix(s1, s2, ...)`.	`s1, s2, ...` = a specified list of strings	Example: `lcp('Exabeam', 'Exameter')` Result: Returns the prefix `Exa` which is the smallest, case-sensitive, prefix that appears in each of the listed strings.
`lcs(s1, s2, ...)`	Returns the smallest common suffix of a list of specified strings. This function is case-sensitive. An alternate form of `LeastCommonSuffix(s1,s2,...)`.	`s1, s2, ...` = a specified list of strings	Example: `lcs('Exabeam', 'Jim Beam')` Result: Returns the suffix `eam` which is the smallest, case-sensitive, suffix that appears in each of the listed strings.
`LeastCommonPrefix(s1, s2, ...)`	Returns the smallest common prefix of a list of specified strings. This function is case-sensitive. An alternate form of `lcp(s1,s2,...)`.	`s1, s2, ...` = a specified list of strings	Example: `LeastCommonPrefix('Exabeam', 'Exameter')` Result: Returns the prefix `Exa` which is the smallest, case-sensitive, prefix that appears in each of the listed strings.
`LeastCommonSuffix(s1, s2, ...)`	Returns the smallest common suffix of a list of specified strings. This function is case-sensitive. An alternate form of `lcs(s1, s2, ...)`.	`s1, s2, ...` = a specified list of strings	Example: `LeastCommonSuffix('Exabeam', 'Jim Beam')` Result: Returns the suffix `eam` which is the smallest, case-sensitive, suffix that appears in each of the listed strings.
`length(s)`	Returns the length of string `s`, if the length of the value is a non-zero number.	`s` = a string	Example: `length(user)` Result: Returns the length of the value in the `user` field, as long as the field is not empty (the length of its value is a non-zero number).
`replace(s,t,r)`	In string `s`, replace the substring that matches `t`, and is interpreted as a literal string, with `r`.	`s` = a string `t` = a substring `r` = a replacement substring	Example: `replace(email, '@domain.com', '@internal.local')` Result: Replaces the substring '`@domain.com`' with '`@internal.local`' in an `email` field.
`replaceAll(s,t,r)`	In string `s`, replace each substring that matches `t`, and is interpreted as a regular expression, with `r`.	`s` = a string `t` = a substring `r` = a replacement substring	Example: `replaceAll(email_subject, 're:', ' ')` Result: Removes all the instances of substring '`re:`' from the string in an `email_subject` field.
`replaceFirst(s,t,r)`	In string `s`, replace the first substring that matches `t`, and is interpreted as a regular expression, with `r`.	`s` = a string `t` = a substring `r` = a replacement substring	Example: `replaceFirst(email_subject, 're:', ' ')` Result: Removes the first instance of substring '`re:`' from the string in an `email_subject` field.
`slice(s, from, until)`	Returns a substring value from string `s`, starting at index, `from`, and continuing up to but not including index, `until`.	`s` = a string `from` = the starting index `until` = the ending index	Example: `slice(domain, 4, lastindexof(domain, '.'))` Result: Returns the portion of the `domain` field that starts at the `fourth` character and ends before the final '`.`' of the domain value.
`startsWith(s, prefix)`	Confirms whether a string value begins with the specified prefix. An alternate form of `beginsWith(s,prefix)`.	`s` = a string `prefix` = the specified prefix (case sensitive)	Example: `startsWith(vendor, 'Exa')` Result: Returns a value of `true` if the `vendor` field starts with '`Exa`'.
`startsWithAny(s, v1, v2, v3 ...)`	Confirms whether a string value begins with any of the specified prefixes. An alternate form of `beginsWithAny(s, v1, v2, v3 ...)`	`s` = a string `v1, v2, v3 = the specified prefixes (case sensitive)`	Example: `startssWithAny(vendor, 'Exa', 'Log')` Result: Returns a value of `true` if the `vendor` field if it starts with either '`Exa`' or '`Log`'.
`stripPrefix(s, prefix)`	Returns the value of string `s`, after removing the specified `prefix`.	`s` = a string `prefix` = the prefix to remove	Example: `stripPrefix(awsRegion, 'us')` Result: Returns the value of the `AWS Region` field without the specified `prefix`.
`stripSuffix(s, suffix)`	Returns the value of string `s` without the specified `suffix`.	`s` = a string `suffix` = the suffix to remove	Example: `stripSuffix(awsRegion, 1)` Result: Returns the value of the `AWS Region` field without the specified `suffix`.
`take(s,n)`	Return only the first `n` number of characters from string `s`.	`s` = a string `n` = a number of characters	Example: `take(eventID, 8)` Result: Returns the first `8` characters from the `event ID` string.
`takeright(s,n)`	Return only the last `n` number of characters from string, `s`.	`s` = a string `n` = a number of characters	Example: `takeright(eventID, 4)` Result: Returns the last `4` characters of the `event ID` string.
`toLower(s)`	Return an all lowercase representation of string `s`.	`s` = a string	Example: `toLower(vendor)` Result: Returns the value of the `vendor` string in all lower case letters.
`toUpper(s)`	Return an all uppercase representation of string, `s`.	`s` = a string	Example: `toUpper(vendor)` Result: Returns the value of the `vendor` string in all upper case letters.
`trim(s)`	Return a version of the string, `s`, with any leading or trailing whitespace removed.	`s` = a string	Example: `trim(email_subject)` Result: Returns a stripped version of the value in the `email_subject` field, without any leading or trailing white spaces.

Boolean and Conditional Expressions

These expressions can be used to perform logical operations and evaluate conditions.

Expression	Description	Inputs	Example / Result
`and(e1, ..., en)`	Confirms that all of the included Boolean expressions evaluate to `true`.	`e1, ..., en` = a set of Boolean expressions	Example: `and(contains(toLower(vendor), 'exabeam'), endsWith(host, '0.0.1'))` Result: A value of `true` is returned if both of the following expressions are true: The value of the `vendor` field contains '`exabeam`' The value of the `host` field ends with '`0.0.1`'
`exists(v1, v2, v3...)`	Confirms that none of the specified string values are null.	`v1, v2, v3 ...` = the specified string values	Example: `exists(dest_email_address, src_email_address)` Result: Returns a value of `true` if both of the specified fields are not null.
`if(expr, if-true, if-false)`	Returns one value if the expression evaluates to `true` and another value if it evaluates to `false`.	`expr` = an expression to evaluate `if-true` = the value to return if the expression is `true` `if-false` = the value to return if the expression is `false`	Example: `if(isSiteLocal(src_ip), first(src_host, src_ip), null)` Result: If the `src_ip` is a local site address, the value of either the `src_host` or `src_ip` is returned, whichever occurs first. If the `src_ip` is not a local site address, a `null` value is returned.
`in(expr, v1, ...)`	Confirms whether the expression is found in any of the specified list of values.	`expr` = an expression to evaluate `v1, ...` = list of values	Example: `in(version, 1.09, 1.10, 1.11)` Result: Returns a value of `true` if the `version` field is found in the specified list of values.
`not(expr)`	Confirms that an expression is not true.	`expr` = the specified expression	Example: `not(contains(toLower(vendor), 'exabeam')` Result: Returns a value of `true` as long as the `vendor` field is not '`exabeam`'. If the `vendor` is '`exabeam`', a value of `false` is returned.
`or(e1, ..., en)`	Confirms that any of the included Boolean expressions evaluate to `true`.	`e1, ..., en` = a set of Boolean expressions	Example: `or(contains(toLower(vendor), 'exabeam'), endsWith(host, '0.0.1')` Result: A value of `true` is returned if either of the following expressions are true: The value of the `vendor` field contains '`exabeam`' The value of the `host` field ends with '`0.0.1`'

IP and Network Expressions

These expressions are specific to IP address evaluation.

Expression	Description	Inputs	Example / Result
`isIP(s)`	Confirms that a string, `s`, is an IPv4 or IPv6 address.	`s` = a string	Example: `isIP(src_host)` Result: Returns a value of `true` if the `source host` field is an IPv4 or IPv6 address.
`isIPv4(s)`	Confirms that a string, `s`, is an IPv4 address.	`s` = a string	Example: `isIPv4(src_host)` Result: Returns a value of `true` if the `source host` field is an IPv4 address.
`isIPv6(s)`	Confirms that a string, `s`, is an IPv6 address.	`s` = a string	Example: `isIPv6(src_host)` Result: Returns a value of `true` if the `source host` field is an IPv6 address.
`isAnyLocal(s)`	Confirms that a string, `s`, is any local address: `0.0.0.0 or ::0` An alternate form of `isAnyLocalAddress(s)`.	`s` = a string	Example: `isAnyLocal(src_host)` Result: Returns a value of `true` if the `source host` field is a local address.
`isAnyLocalAddress(s)`	Confirms that a string, `s`, is any local address: `0.0.0.0 or ::0` An alternate form of `isAnyLocal(s)`.	`s` = a string	Example: `isAnyLocalAddress(src_host)` Result: Returns a value of `true` if the `source host` field is a local address.
`isLinkLocal(s)`	Confirms that a string, `s`, is a link local address: `169.254.1.0 - 169.254.255.255, fe80::`, etc. An alternate form of `isLinkLocalAddress(s)`	`s` = a string	Example: `isLinkLocal(src_host)` Result: Returns a value of `true` if the `source host` field is a link local address.
`isLinkLocalAddress(s)`	Confirms that a string, `s`, is a link local address: `169.254.1.0 - 169.254.255.255, fe80::`, etc. An alternate form of `isLinkLocal(s)`	`s` = a string	Example: `isLinkLocalAddress(src_host)` Result: Returns a value of `true` if the `source host` field is a link local address.
`isLoopback(s)`	Confirms that a string, `s`, is a loopback address: `127.0.0.0 - 127.255.255.255, ::1`, etc. An alternate form of `isLoopBackAddress(s)`	`s` = a string	Example: `isLoopback(src_host)` Result: Returns a value of `true` if the `source host` field is a loopback address.
`isLoopBackAddress(s)`	Confirms that a string, `s`, is a loopback address: `127.0.0.0 - 127.255.255.255, ::1`, etc. An alternate form of `isLoopBack(s)`	`s` = a string	Example: `isLoopbackAddress(src_hos` Result: Returns a value of `true` if the `source host` field is a loopback address.
`isMulticast(s)`	Confirms that a string, `s`, is a multicast address: `224.0.0.0 - 239.255.255.255` An alternate form of `isMulticastAddress(s)`	`s` = a string	Example: `isMulticast(src_host)` Result: Returns a value of `true` if the `source host` field is a multicast address.
`isMulticastAddress(s)`	Confirms that a string, `s`, is a multicast address: `224.0.0.0 - 239.255.255.255` An alternate form of `isMulticast(s)`	`s` = a string	Example: `isMulticastAddress(src_host)` Result: Returns a value of `true` if the `source host` field is a multicast address.
`isSiteLocal(s)`	Confirms that a string, `s`, is a site local address: `10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255`, etc. An alternate form of `isSiteLocalAddress(s)`	`s` = a string	Example: `isSiteLocal(src_host)` Result: Returns a value of `true` if the `source host` field is a site local address.
`isSiteLocalAddress(s)`	Confirms that a string, `s`, is a site local address: `10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255`, etc. An alternate form of `isSiteLocal(s)`	`s` = a string	Example: `isSiteLocalAddress(src_host)` Result: Returns a value of `true` if the `source host` field is a site local address.

Context Expressions

These expressions are specific to contextual data or operations.

Important

Inputs for these expressions are case-sensitive. In order for the expression to return a result of true, the value in the key column must exactly match the case-sensitivity used in the context table itself.

Expression	Description	Inputs	Example / Result
`GetContextAttribute(T, K, A)`	Returns the value of an attribute column, `A`, from whichever row matches `K` in the key column of context table `T`.	`T` = context table name `K` = value in a row of the key column `A` = an `attribute_id` for a column in the context table (see the note below for information about finding the `attribute_id`)	Example: `GetContextAttribute('AD Users', '8229faf6-7de1-4cf1-99b8-2c5c1d515bd1', 'bWeYC3dG7H')` Where: `AD Users` = the name of the context table `8229faf6-7de1-4cf1-99b8-2c5c1d515bd1` = a specific value in the key column, which is the ID column `bWeYC3dG7H` = the `attribute_id` of a column in the `AD Users` context table Result: Looks in the key column of the `AD Users` context table (the `ID` column). Finds the row where the key column value is `8229faf6-7de1-4cf1-99b8-2c5c1d515bd1`. Returns the value, from the same row, for the column whose `attribute_id` is `bWeYC3dG7H`.
`HasContextKey(T, K)`	Confirms whether a context table `T` exists and contains a specific value in the key column `K`.	`T` = context table name `K` = the value of the key column	Example: `HasContextKey('CrowdStrike Devices', aid)` Result: Returns a value of `true` or `false` depending on whether any row in the key column in the `CrowdStrike Devices` context table contains a value of '`aid`'.

Expression

Description

Inputs

Example / Result

GetContextAttribute(T, K, A)

Returns the value of an attribute column, A, from whichever row matches K in the key column of context table T.

T = context table name

K = value in a row of the key column

A = an attribute_id for a column in the context table (see the note below for information about finding the attribute_id)

Example:

GetContextAttribute('AD Users', '8229faf6-7de1-4cf1-99b8-2c5c1d515bd1', 'bWeYC3dG7H')

Where:

AD Users = the name of the context table
8229faf6-7de1-4cf1-99b8-2c5c1d515bd1 = a specific value in the key column, which is the ID column
bWeYC3dG7H = the attribute_id of a column in the AD Users context table

Result:

Looks in the key column of the AD Users context table (the ID column). Finds the row where the key column value is 8229faf6-7de1-4cf1-99b8-2c5c1d515bd1. Returns the value, from the same row, for the column whose attribute_id is bWeYC3dG7H.

HasContextKey(T, K)

Confirms whether a context table T exists and contains a specific value in the key column K.

T = context table name

K = the value of the key column

Example:

HasContextKey('CrowdStrike Devices', aid)

Result:

Returns a value of true or false depending on whether any row in the key column in the CrowdStrike Devices context table contains a value of 'aid'.

Note

Finding the attribute_id for the A Input

The A input for the GetContextAttribute expression must be represented by the attribute_id of a column in the context table, and not by the display name in the column header in the Context Management UI. The mapping of attribute_id to column names is not available in the Context Management UI.

To find an attribute_id, navigate to the GET /context-management/v1/tables API endpoint in the Exabeam Developers Portal. Run this API to return a list of metadata for the context tables in your environment, including attribute mapping. Select the appropriate attribute_id for the column you want to represent in the A input for the GetContextAttribute expression.

For information about this API endpoint, and for links to other resources about running Exabeam public APIs, see Context Management APIs.

Log StreamLog Stream Guide

Table of ContentsTable of Contents