Skip to main content

Threat Detection ManagementThreat Detection Management Guide

Rule Conditions

Rule conditions are a powerful tool that enables fine-tuned customization of analytics rules through exclusions, allowing you to adapt the system to their unique needs. As part of the Exabeam domain-specific language, these expressions offer a structured yet flexible way to define and refine the conditions under which data is included or excluded from evaluations. This capability ensures that analytics remain focused, precise, and relevant to the organization's objectives.

Rule Expressions are at the core of configuring exclusions for rules. By leveraging these expressions, you can specify conditions to exclude certain events, users, or behaviors from triggering alerts or being flagged for analysis. This process helps eliminate noise, reduce false positives, and tailor the system to prioritize what matters most.

For example:

  • You might want to exclude routine administrative logins from being flagged as suspicious.

  • Or you might exclude specific IP ranges commonly used by internal systems from being considered as potential attack vectors.

Refer to the following topics for the full set of allowable expressions:

Key Features that Enable Effective Exclusions

Rule conditions offer several features that make them highly effective for tuning rules through exclusions. These features ensure that analytics rules remain precise, adaptable, and focused on what matters most.

Boolean Logic for Precision

Rule Expressions use Boolean operators like AND, OR, and NOT to create precise exclusion criteria.

Example 1. Example

The following expression excludes login events from specific IPs unless the user is an administrator:

((src_ip == "192.168.1.1" || src_ip == "192.168.1.2") && EventType == "Login") && NOT(user == "admin")



Dynamic Context from Event Fields

By referencing event fields directly in the expressions, exclusions can dynamically adapt to the actual data flowing through the system.

Example 2. Example

This expression dynamically identifies and excludes events for a specific user-device combination:

concat(user, "-", src_host) == "robert-MBP123"



String Operations for Granular Conditions

String functions like startswith, endswith, and concat allow for highly specific exclusions.

Example 3. Example

This expression excludes emails sent from internal automated systems:

startswith(src_email, "noreply") && endswith(src_email, "@company.com")



Case Insensitivity for Simplicity

Rule functions are case-insensitive, simplifying their usage and reducing errors in complex exclusion logic.

Example 4. Example

The following expressions are equivalent:

startsWith("anip", user)

STARTSWITH("anip", user)



Nesting and Parentheses for Complexity

Parentheses and nested expressions make it easy to combine multiple conditions into a single rule, enabling nuanced exclusions.

Example 5. Example

The following expression ensures the exclusion applies to all but guest roles:

((true || false) && NOT(role == "guest"))



General Expressions

These Expressions perform general operations such as mathematical calculations or basic data evaluation:

Expression

Description

add(x1, ..., xn)

Adds numerical arguments.

Example: add(2, 3, 5) returns 10.

ceil(x)

Returns the least integer greater than or equal to the argument.

Example: ceil(2.3) returns 3.

floor(x)

Returns the greatest integer less than or equal to the argument.

Example: floor(2.7) returns 2.

divide(x, y) or div(x, y)

Performs division of x by y.

Example: divide(10, 2) returns 5.

first(e1, ..., en)

Returns the first expression that evaluates to true, non-empty, or non-zero.

Example: first(false, 0, 3) returns 3.

format(formatspec, v1, ...)

Formats arguments according to a specified format string.

Example: format("%.2f", 2.34567) returns 2.35.

fieldOr(fn, def-cond, {"fv1": condition1}, ...)

Optimized "or" chain for matching field-value conditions.

Example: fieldOr(event_type, false, {"Login":true}) returns true if event_type is "Login".

String Expressions

Expressions for manipulating or evaluating string data:

Expression

Description

beginsWith(s, prefix)

Checks if the string s begins with the specified prefix.

beginsWithAny(s, v1, v2, ...)

Checks if s begins with any of the specified prefixes.

chopAfter(s, pattern, n)

Removes all characters after and including the n-th occurrence of a pattern.

Example: chopAfter("a.b.c", ".", 2) returns "a.b".

chopBefore(s, pattern, n)

Removes all characters before and including the n-th occurrence of a pattern.

Example: chopBefore("a.b.c", ".", 2) returns "c".

concat(v1, v2, ...)

Concatenates multiple values as strings. Example: concat("hello", " ", "world") returns "hello world".

contains(a, b)

Tests whether the string a contains the substring b.

Example: contains("exabeam", "beam") returns true.

containsAny(s, s1, ..., sn)

Tests whether s contains any of the substrings s1, ..., sn.

drop(s, n)

Removes the first n characters from string s.

Example: drop("hello", 2) returns "llo".

dropright(s, n)

Removes the last n characters from string s.

Example: dropright("hello", 2) returns "hel".

endsWith(a, b)

Tests whether the string a ends with the substring b.

Example: endsWith("filename.txt", ".txt") returns true.

endsWithAny(s, s1, ..., sn)

Checks if s ends with any of the substrings s1, ..., sn.

indexOf(s, p)

Returns the zero-based index of the first occurrence of pattern p in string s.

Example: indexOf("hello", "e") returns 1.

Boolean and Conditional Expressions

Expressions for logical operations and condition evaluation:

Expression

Description

and(e1, ..., en)

Logical AND of all expressions.

Example: and(true, false, true) returns false.

if(expr, if-true, if-false)

Evaluates the expression expr. If true, returns if-true; otherwise, returns if-false.

Example: if(1 > 0, 10, 5) returns 10.

in(expr, v1, ...)

Checks if the expr matches any value in v1, ....

Example: in(2, 1, 2, 3) returns true.

exists(v1, v2, ..., vn)

Checks if all values are defined and non-empty.

Example: exists(1, "text", null) returns false.

IP and Network Expressions

Expressions specific to IP address evaluation:

Expression

Description

isIP(s)

Checks if s is an IPv4 or IPv6 address.

Example: isIP("192.168.1.1") returns true.

isIPv4(s)

Checks if s is an IPv4 address.

Example: isIPv4("192.168.1.1") returns true.

isIPv6(s)

Checks if s is an IPv6 address.

Example: isIPv6("2001:db8::1") returns true.

isAnyLocal(s)

Checks if s is an any-local address (0.0.0.0 or ::0).

Example: isAnyLocal("0.0.0.0") returns true.

isLinkLocal(s)

Checks if s is a link-local address (169.254.x.x or fe80::).

Example: isLinkLocal("169.254.1.1") returns true.

isLoopback(s)

Checks if s is a loopback address (127.x.x.x or ::1).

Example: isLoopback("127.0.0.1") returns true.

Context Expressions

Expressions involving contextual data or operations:

Expression

Description

ContextListContains(table_name, value)

Checks whether the context table table_name contains value.

Returns false if the table doesn't exist or is unsupported.

Example: ContextListContains("CompanyNames", "Exabeam") returns true if "Exabeam" exists in the "CompanyNames" table.

!ContextListContains("AuthorizedDepartments", user_department)

Identifies unauthorized access attempts by users outside the specified department.

Example: If user_department is "Marketing" and the table "AuthorizedDepartments" contains only "Finance" and "IT", this expression returns true.

ContextListContains("SuspiciousDomains", getDomainFromURL(url))

Verifies if a URL's domain belongs to a list of suspicious domains.

Example: If url is "http://malicious.com/phishing" and the domain "malicious.com" is in the "SuspiciousDomains" table, this expression returns true.

Entity Expressions

Expressions that interact with entities and their attributes:

Expression

Description

EntityHasAttribute(selector, attribute_name)

Checks if the entity matching the selector has the attribute attribute_name defined with a value.

Example: EntityHasAttribute('type: User && direction: Source', 'department') returns true if the Source User has a department defined.

EntityAttribute(selector, attribute_name)

Retrieves the value of the attribute attribute_name for the entity matching the selector.

Example: EntityAttribute('type: User && direction: Dest', 'department') might return 'Product' if the Destination User belongs to the Product department.

EntityIsLoggedToVpn(selector)

Determines if the entity matching the selector is logged into the VPN.

Example: EntityIsLoggedToVpn('type: User && direction: Source') returns false if the Source User is not on the VPN.

EntityHasAttributeValue(selector, attribute_name, attribute_value, comparison_option)

Checks if the entity's attribute equals the given value. The comparison can be case-sensitive or insensitive.

Example: EntityHasAttributeValue('type: User && direction: Dest', 'department', 'Product') returns true if the Destination User's department is Product.

EntityId(selector)

Retrieves the entity ID for the entity matching the selector.

Example: EntityId('type: User && direction: Dest') might return '[email protected]' for the Destination User.