Threat Detection ManagementThreat Detection Management Guide

isIP(address)

Checks if address is an IPv4 or IPv6 address.

Boolean

isIP("192.168.1.1") returns true

isIPv4(address)

Checks if address is an IPv4 address.

Boolean

isIPv4("192.168.1.1") returns true

isIPv6(address)

Checks if address is an IPv6 address.

Boolean

isIPv6("2001:db8::1") returns true

isAnyLocal(address)

Checks if address is an any-local address (0.0.0.0 or ::0).

An alternative form of isAnyLocalAddress().

Boolean

isAnyLocal("0.0.0.0") returns true

isAnyLocalAddress(address)

Checks if address is an any-local address (0.0.0.0 or ::0).

An alternative form of isAnyLocal().

Boolean

isAnyLocalAddress("0.0.0.0") returns true

isLinkLocal(address)

Checks if address is a link-local address (169.254.x.x or fe80::).

An alternative form of isLinkLocalAddress().

Boolean

isLinkLocal("169.254.1.1") returns true

isLinkLocalAddress(address)

Checks if address is a link-local address (169.254.x.x or fe80::).

An alternative form of isLinkLoca()c.

Boolean

isLinkLocalAddress("169.254.1.1") returns true

isLoopback(address)

Checks if address is a loopback address (127.x.x.x or ::1).

An alternative form of isLoopbackAddress().

Boolean

isLoopback("127.0.0.1") returns true

isLoopbackAddress(address)

Checks if address is a loopback address (127.x.x.x or ::1).

An alternative form of isLoopback().

Boolean

isLoopbackAddress("127.0.0.1") returns true

isMulticast(address)

Checks if address is a multicast address (224.0.0.0-239.255.255.255).

An alternative form of isMulticastAddress().

Boolean

isMulticast("224.0.0.0") returns true

isMulticastAddress(address)

Checks if address is a multicast address (224.0.0.0-239.255.255.255).

An alternative form of isMulticast().

Boolean

isMulticastAddress("224.0.0.0") returns true

isSiteLocal(address)

Checks if address is a site local address; for example 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255.

An alternative form of isSiteLocalAddress().

Boolean

isSiteLocal("10.0.0.0") returns true

isSiteLocalAddress(address)

Checks if address is a site local address; for example 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255.

An alternative form of isSiteLocal().

Boolean

isSiteLocalAddress("10.0.0.0") returns true

HasGeoInfo("attribute", dest_ip)

Checks if the event contains geo-information attributefor the IP address dest_ip.

Valid arguments for attribute include:

Boolean

HasGeoInfo("city",192.168.1.1) returns true if the event contains the city of the IP address.

GetGeoInfo("attribute", dest_ip)

Retrieves geo-information attribute for the IP address dest_ip.

Valid arguments for attribute include:

String

GetGeoInfo("city", 192.168.1.1) returns "New York City"

inHosts(host, h1, ..., hn)

COMING SOON

Boolean

COMING SOON

GetOSFromUA("user_agent")

Extracts the operating system from user agent user_agent.

String

GetOsFromUA("Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0") returns "Macintosh; Intel Mac OS X x.y"

GetBrowserFromUA("user_agent")

Extracts the browser from user agent user_agent.

String

GetBrowserFromUA("Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0") returns "Firefox"

HasThreatInfo("threat_type", web_domain)

Checks if domain web_domain has a threat of type threat_type.

threat_type can be:

threat_type is an optional argument. If threat_type isn't specified, the expression checks if domain web_domain is any of the threat types.

Boolean

HasThreatInfo("ransomware", badsite.com) returns true

GetThreatInfo(web_domain)

Retrieves a list of all threats associated with domain web_domain.

String

returns ["phishing", "ransomware"] 

COMING SOON

GetDomainFromEmail("email")

Extracts the domain from email.

String

GetDomainFromEmail("[email protected]") returns "acme.org

GetDomainFromURL("url")

Extracts the domain from url.

String

GetDomainFromURL("https://www.exabeam.com/company/ai-innovation/") returns "exabeam.com"