Skip to main content

Threat Detection ManagementThreat Detection Management Guide

Context Operations Using Analytics Rule Syntax

Evaluate and retrieve data from context tables using analytics rule syntax.

Function

Description

Returned Value

Examples

ContextListContains( "table", value)

Checks whether the context table table contains value.

Returns false if the context table doesn't exist or is unsupported.

Boolean

ContextListContains("CompanyNames", Exabeam) returns true if Exabeam exists in the CompanyNames context table

ContextListContains('SuspiciousDomains', getDomainFromURL(url)) returns true if url is http://malicious.com/phishing and the domain malicious.com is in the SuspiciousDomains context table.

GetContextAttribute("table", "key", "attribute")

Retrieves attribute from context table table using key.

key and attribute must be CIM 2.0 fields.

Value of attribute

GetContextAttribute("AD Table", user, "email address") returns the email address for the user entity associated with the event.

HasContextKey(table, key)

Checks if context table table contains key.

Returns false if:

  • The context table doesn't exist

  • The context table exists but doesn't contain key

Boolean

HasContextKey('Competitor Company Names', dest_email_domain) returns true if the Competitor Company Names context table contains destination destination email domain information.

GetDynamicContextAttribute(key, attribute)

COMING SOON

COMING SOON

COMING SOON