Skip to main content

Threat Detection ManagementThreat Detection Management Guide

Advanced Analytics Rule Syntax vs. Analytics Rule Syntax

Compare the syntax used to write expressions for Advanced Analytics rules in the Fusion and Exabeam Security Operations licenses with the syntax used to write expressions for analytics rules in the New-Scale Security Operations Platform.

As you convert your Advanced Analytics rules to analytics rules, ensure rule expressions use syntax that the New-Scale Security Operations Platform analytics engine supports. While many expressions are still supported with analytics rules, there are a few expressions that are no longer supported with analytics rules.

Expression Usage

Advanced Analytics Rule Syntax

Analytics Rule Syntax

Difference

Add numerical arguments

add(x1, ..., xn)

add(x1, ..., xn)

No change

Checks whether all of the arguments e1 ... en are true. If any argument is false, the expression returns false.

and(e1, ..., en)

and(e1, ..., en)

No change

Checks if string begins with any of the prefixes p1 ... pn.

beginswithAny(string, p1, ..., pn)

beginswithAny("string", "p1", ..., "pn")

No change

Checks if the string begins with the prefix.

beginsWith(s, prefix)

beginsWith("string", "prefix")

No change

Rounds x up to the nearest integer.

ceil(x)

ceil(x)

No change

Removes all characters from string after and including the n-th occurrence of a pattern.

chopAfter("string", "pattern", n)

chopAfter("string", "pattern", n)

No change

Removes all characters from string before and including the n-th occurrence of a pattern.

chopBefore("string", "pattern", n)

chopBefore("string", "pattern", n)

No change

Concatenates arguments as a single string.

concat("s1", ..., "sn")

concat("s1", ..., "sn")

No change

The result of the calculation ((N-C)/N)^a, where N = total data points in the model, C = number of bins, and a = alpha.

confidence_factor

Not supported for analytics rules

Checks whether file contains string.

containsAnyFile("string", file)

Not supported for analytics rules.

Checks whether file contains string.

containsAnyInFile("string", file)

Not supported for analytics rules.

Checks whether string contains any of the substrings s1, ..., sn.

containsAny("string", "s1", ..., "sn")

containsAny("string", "s1", ..., "sn")

No change

Checks whether string contains substring.

contains("string", "substring")

contains("string", "substring")

No change

Divides x by y.

divide(x, y)

divide(x, y)

No change

Divides x by y.

div(x, y)

div(x, y)

No change

Removes the last n characters from string.

dropright("string", n)

dropright("string", n)

No change

Removes the first n characters from string.

drop("string", n)

drop("string", n)

No change

Checks if string ends with any of the substrings s1, ..., sn.

endsWithAny("string", "s1", ..., "sn")

endsWithAny("string", "s1", ..., "sn")

No change

Checks whether string ends with substring.

endsWith("string", "substring")

endsWith("string", "substring")

No change

Terminates expression evaluation with an error; message is printed to exabeam.log.

error(message)

error(message)

No change

Checks if all values are defined and non-empty.

exists(v1, v2, ..., vn)

exists(v1, v2, ..., vn)

No change

feature_value

Not supported for analytics rules

A more efficient alternative to an "or" chain of match-field-value-and-condition plus an alternative fallback condition. The function tries to match the field value with a key of one key-value pair; if found, returns the value condition expression value as the result; otherwise, returns the default condition expression (def-cond) value.

fieldOr(fn, def-cond, {"fv1":condition1}, ...)

Not supported for analytics rules.

Returns the first expression e1 ... en that evaluates to true, non-empty, or non-zero. If none evaluate to true, non-empty, or non-zero, returns null.

first(e1, ..., en)

first(e1, ..., en)

No change

Rounds x down to the nearest integer.

floor(x)

floor(x)

No change

Formats argument according to format string formatspec.

format("formatspec", argument)

format("formatspec", argument)

No change

Extracts the browser from user agent user_agent.

GetBrowserFromUA("user_agent")

GetBrowserFromUA("user_agent")

No change

Extracts the domain from email.

GetDomainFromEmail(email)

GetDomainFromEmail("email")

No change

Extracts the domain from url.

GetDomainFromURL("url")

GetDomainFromURL("url")

No change

Extracts the operating system from user agent user_agent.

GetOSFromUA("user_agent")

GetOSFromUA("user_agent")

No change

getValue(t, v)

  • GetGeoInfo("attribute", dest_ip)

  • GetThreatInfo(web_domain)

The Advanced Analytics expression was replaced with new expressions for analytics rules.

Whether given rule has fired in the sequence containing this event.

An alternative form of WasRuleFired()

HasRuleTriggered(rule, feature)

Not supported for analytics rules

Checks if the user entity has a defined value for attribute

hasUserAttributeValue("attribute")

EntityHasAttribute("attribute")

The Advanced Analytics expression was replaced with a new expression for analytics rules.

Queries context tables.

hasValue()

  • HasContextKey(table, key)

  • HasGeoInfo("attribute", dest_ip)

  • HasThreatInfo("threat_type", web_domain)

  • ContextListContains( "table", value)

The Advanced Analytics expression was replaced with new expressions for analytics rules.

Converts a string of a hexadecimal number into its integer equivalent.

hextoInt("string")

hextoInt("string")

No change

Returns the hour of time.

hour(time)

hour(time)

Evaluates expression. If true, returns if-true; otherwise, returns if-false.

if(expression, if-true, if-false)

if(expression, if-true, if-false)

No change

Evaluates the zero-based index of the first occurrence of pattern in string. If pattern is not present, returns -1.

indexOf("string", "pattern")

indexOf("string", "pattern")

No change

Checks whether the value of expression is equal to any of the values e1 ... en.

in(expression, e1 ..., en)

in(expression, e1 ..., en)

No change

Extracts value from url.

value can be:

  • Destination port

  • Protocol

  • Web domain

  • Destination IP address

  • URI path

  • URI query

InferFromURL(“value”, "url")

Not supported for analytics rules

Checks whether host name host is in file.

inHostsFile(host, file)

Not supported for analytics rules

Checks whether host name host is equal to any of the host names h1 ... hn.

inHosts(host, h1, ..., hn)

inHosts(host, h1, ..., hn)

No change

Checks whether the value of expression is equal to any of the values e1 ... en.

inList(expression, e1, ..., en)

inList(expression, e1, ..., en)

No change

Checks if field_value exists as a feature value in the model .

InModel(field_value, scope_value, model)

Not supported for analytics rules

Checks if address is an any-local address (0.0.0.0 or ::0).

isAnyLocal(address)

isAnyLocal(address)

New for analytics rule; did not exist for Advanced Analytics rules

Checks if address is an any-local address (0.0.0.0 or ::0).

isAnyLocalAddress(address)

isAnyLocalAddress(address)

No change

Checks if entity sequence feature is enabled in the installed license.

isEntitySequenceFeatureEnabled()

isEntitySequenceFeatureEnabled()

No change

Checks if address is an IPv4 or IPv6 address.

isIP(address)

isIP(address)

No change

Checks if address is an IPv4 address.

isIPv4(address)

isIPv4(address)

No change

Checks if address is an IPv6 address.

isIPv6(address)

isIPv6(address)

No change

Checks if address is a link-local address (169.254.x.x or fe80::).

isLinkLocal(address)

isLinkLocal(address)

No change

Checks if address is a link-local address (169.254.x.x or fe80::).

isLinkLocalAddress(address)

isLinkLocalAddress(address)

No change

Checks if address is a loopback address (127.x.x.x or ::1).

isLoopback(address)

isLoopback(address)

New for analytics rule; did not exist for Advanced Analytics rules

Checks if address is a loopback address (127.x.x.x or ::1).

isLoopbackAddress(address)

isLoopbackAddress(address)

No change

Checks if address is a multicast address (224.0.0.0-239.255.255.255).

isMulticast(address)

isMulticast(address)

No change

Checks if address is a multicast address (224.0.0.0-239.255.255.255).

isMulticastAddress(address)

isMulticastAddress(address)

No change

Evaluates whether the second level part of domain is likely generated randomly. The argument must be lowercase.

isRandomDomain(toLower("domain"))

Not supported for analytics rules

Evaluates whether hostname is likely generated randomly. The argument must be lowercase.

isRandomHostname(toLower("hostname"))

Not supported for analytics rules

Checks if address is a site local address; for example 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255.

isSiteLocal(address)

isSiteLocal(address)

No change

Checks if address is a site local address; for example 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255.

isSiteLocalAddress(address)

isSiteLocalAddress(address)

No change

Checks whether host is a top talker.

IsTopTalker(host)

Not supported for analytics rules

Evaluates the zero-based index of the last occurence of pattern in string. If pattern is not present, returns -1.

lastIndexOf("string","pattern")

lastIndexOf("string","pattern")

No change

Return the difference between event time and user's closest previous session logout time in milliseconds. If the user was never seen before, returns 0.

LastSeenUntilNow(user, time)

Not supported for analytics rules

Evaluates the longest common prefix among string arguments s1 ... sn.

lcp("s1", ..., "sn")

lcp("s1", ..., "sn")

No change

Evaluates the longest common suffix among string arguments s1 ... sn. The evaluation is case-sensitive.

lcs("s1", ..., "sn")

lcs("s1", ..., "sn")

No change

Evaluates the longest common prefix among string arguments s1 ... sn.

LeastCommonPrefix("s1", ..., "sn")

LeastCommonPrefix("s1", ..., "sn")

No change

Evaluates the longest common suffix among string arguments s1 ... sn. The evaluation is case-sensitive.

LeastCommonSuffix("s1", ..., "sn")

LeastCommonSuffix("s1", ..., "sn")

No change

Evaluates the length of string.

length("string")

length("string")

No change

Evaluates the maximum of all arguments x1 ... xn.

max(x1, ..., xn)

max(x1, ..., xn)

No change

Evaluates the minimum of all arguments x1 ... xn.

min(x1, ..., xn)

min(x1, ..., xn)

No change

Multiplies numerical arguments x1 ... xn.

multiply(x1, ..., xn)

multiply(x1, ..., xn)

No change

Multiplies numerical arguments x1 ... xn.

mul(x1, ..., xn)

mul(x1, ..., xn)

No change

Normalizes a host name to a canonical short form.

NormalizeHostName(hostname)

Not supported for analytics rules

Returns the username in AD format from the provided string in any of these forms:

  • Username

  • Email address

  • LDAP distinguished name

NormalizeUser(user)

Not supported for analytics rules

Checks whether any of the arguments e1 ... en are true. If all arguments are false, the expression returns false.

not(expression)

not(expression)

No change

The number of bins in the model.

num_bins

Not supported for analytics rules

The number of times a feature must appear in order for the rule to trigger.

num_observations

Not supported for analytics rules

Checks whether any of the arguments e1 ... en are true. If all arguments are false, the expression returns false.

or(e1, ..., en)

or(e1, ..., en)

No change

Quantifies how anomalous a data point is.

percentile_count_distance

Not supported for analytics rules

Sets a count threshold for the number of points in a histogram bin.

percentile_threshold_count

Not supported for analytics rules

The percentile of the current historgram bin where all bins are ordered by their value.

Used for histograms that have a natural order, like numerical (clustered) histograms.

percentile_threshold_value

Not supported for analytics rules

The distance to the histogtram bin which is the bin at the percentileThreshold value.

percentile_value_distance

Not supported for analytics rules

Raises x to the power of y.

power(x, y)

power(x, y)

No change

Raises x to the power of y.

pow(x, y)

pow(x, y)

No change

The number of times the current value exists in the model divided by the total data points in the model.

probability

Not supported for analytics rules

In string, replaces every occurrence of substring that matches a regular expression regex with substring s2.

replaceAll("string", regex, "s2")

replaceAll("string", regex, "s2")

No change

In string, replaces the first occurrence of a substring that matches regular expression regex with substring s2.

replaceFirst("string", regex, "s2"

replaceFirst("string", regex, "s2"

No change

In string, replace every substring s1, interpreted as a literal string, with substring s2.

replace("string", "s1", "s2")

replace("string", "s1", "s2")

No change

Evaluates expression. If true, returns if-true; otherwise, returns if-false.

returnIf(expression, if-true, if-false

returnIf(expression, if-true, if-false

No change

Rounds x to the nearest integer.

round(x)

round(x)

No change

Extracts a substring from string starting at index from and up to but not including index until.

slice("string", from, until)

slice("string", from, until)

No change

Returns the propagation speed in KPH between the user identified in the event's previous src_ip and the one in this event.

speed()

Not supported for analytics rules

Checks if string begins with any of the prefixes p1 ... pn.

startsWithAny("string", "p1", ..., "pn")

startsWithAny("string", "p1", ..., "pn")

No change

Checks if the string begins with the prefix.

startsWith("string", "prefix")

startsWith("string", "prefix")

No change

Removes prefix from string if present. The prefix argument is case sensitive.

stripPrefix("string", "prefix")

stripPrefix("string", "prefix")

No change

Removes suffix from string if present. The prefix argument is case sensitive.

stripSuffix("string", "suffix")

stripSuffix("string", "suffix")

No change

Subtracts y from x.

subtract(xy)

subtract(xy)

No change

Keeps last n characters in string and removes the rest.

takeright("string", n)

takeright("string", n)

No change

Keeps first n characters in string and removes the rest.

take("string",n)

take("string",n)

No change

Evaluates the hour of the current UTC time in 24-hour format.

timeofday()

timeofday()

No change

Evaluates the time of the month as a fraction of days since the start of the month.

timeofmonth()

timeofmonth()

No change

Evaluates the day of the week as a fraction of days since Sunday, which is the start of the week.

timeofweek()

timeofweek()

No change

Cast operation that converts expression to a boolean value.

toBoolean(expression)

toBoolean(expression)

No change

Converts string to all lowercase.

toLower("string")

toLower("string")

No change

Cast operation that converts the value of expression to an integer.

toNumber(expression)

toNumber(expression)

No change

Cast operation that converts the value of expression to a string.

toString(expression)

toString(expression)

No change

The number of data points in the model.

total_events

Not supported for analytics rules

Overall count of the events in the given histogram or model.

total_events

Not supported for analytics rules

Converts string to all uppercase.

toUpper("string")

toUpper("string")

No change

Remove leading and trailing whitespace from string.

trim("string")

trim("string")

No change

Whether given rule has fired in the sequence containing this event.

An alternative form of HasRuleTriggered()

WasRuleFired(rule)

Not supported for analytics rules