Built-in functions
The following table describes the precedence and associativity of the operators.
| Operator |
Behavior |
| bool strstr(string str1, string str2, bool bCaseSensitive) bool strstr(string str1, string[] str2, bool bCaseSensitive)
|
Performs a search for occurrences of str2 in str1. Returns TRUE if found, FALSE otherwise. If bCaseSensitive is TRUE, the comparison is case-sensitive. If a set is supplied for the second parameter, the set is iterated and each item is used in the strstr operation until the first match occurs or until the set has been fully iterated. |
| bool strstr(string str1, string str2) |
Performs a case-sensitive search for occurrences of str2 in str1. Returns TRUE if found, FALSE otherwise. This is a legacy function superceeded by strstr above. |
| bool stristr(string str1, string str2) |
Performs a case-insensitive search for occurrences of str2 in str1. Returns TRUE if found, FALSE otherwise. This is a legacy function superceeded by strstr above. |
| bool findword(string str1, string str2, bool bCaseSensitive) bool findword(string str1, string[] str2, bool bCaseSensitive) |
Performs a search for the complete word str2 in str1. Returns TRUE only if str2 is found as a bounded word in str1 and not as a substring of some other word in str1. If a set is supplied for the second parameter, the set is iterated and each item is used in the findword operation until the first match occurs or until the set has been fully iterated. For more information on the findword function, see Matching on Word Boundaries with . |
| bool startswith(string str1, string prefix, bool bCaseSensitive) bool startswith(string str1, string[] prefix, bool bCaseSensitive)
|
Returns TRUE if the str1 starts with the prefix. If bCaseSensitive is TRUE, the comparison is case-sensitive. If a set is supplied for the second parameter, the set is iterated and each item is used in the startswith operation until the first match occurs or until the set has been fully iterated. |
| bool endswith(string str1, string suffix, bool bCaseSensitive) bool endswith(string str1, string[] suffix, bool bCaseSensitive)
|
Returns TRUE if the string ends with the suffix. If bCaseSensitive is TRUE, the comparison is case sensitive. If a set is supplied for the second parameter, the set is iterated and each item is used in the endswith operation until the first match occurs or until the set has been fully iterated. |
| bool strcmp(string str1, string str2, bool bCaseSensitive) |
Performs a comparison of str1 and str2. Returns TRUE if the strings match, FALSE otherwise. If bCaseSensitive is TRUE, the comparison is case-sensitive.
|
| bool strcmp(string str1, string str2) |
Performs a case-sensitive comparison of str1 and str2. Returns TRUE if the strings match, FALSE otherwise. This is a legacy function superceeded by strcmp above. |
| bool stricmp(string str1, string str2) |
Performs a case-insensitive comparison of str1 and str2. Returns TRUE if the strings match, FALSE otherwise. This is a legacy function superceeded by strcmp above. |
| uint32 strlen(string str) |
Returns the character count for the supplied string parameter. |
| pid getppid(uint32 pid) |
Returns the parent process ID for the process specified by the pid parameter. |
| setinsert(uint32 s[], uint32 n) setinsert(uint64 s[], uint64 n) setinsert(double s[], double n) setinsert(bool s[], bool n) setinsert(ipaddr s[], ipaddr address) setinsert(md5digest s[], md5digest digest) setinsert(sha256digest s[], sha256digest digest) |
Inserts an item into a set of the same type. For more information about set variables, see Using Set Variables. |
| setremove(uint32 s[], uint32 n) setremove(uint64 s[], uint64 n) setremove(double s[], double n) setremove(bool s[], bool b) setremove(ipaddr s[], ipaddr address) setremove(md5digest s[], md5digest digest) setremove(sha256digest s[], sha256digest digest) |
Removes an item from a set of the same type. For more information about set variables, see Using Set Variables. |
| bool setstrstr(string haystack, string needles [], bool bCaseSensitive) |
Iterates the needles string set and performs a search for occurrences of any element of the set in the string haystack. The function returns TRUE upon the first matching occurrence and returns FALSE otherwise. If bCaseSensitive is TRUE, the comparison is case-sensitive. This function is superceeded by the strstr function which now can operate on string sets. |
| bool setipcmp(ipaddr ip , ipaddr ipAddrSet[]) |
Iterates ipAddrSet and compares each item in the set against ip. |
| string getregistrysubkey(string regEventPath) |
Normalizes a registry path returned in event data and returns the result. Strips the hive name from the beginning of a kernel registry path if present. Strips User SIDs from user hive paths. Examples: \REGISTRY\MACHINE\xyz → \xyz \REGISTRY\USER\HKEY_USERS\S-1-5-21-2177698632-2771012605-3807011837-1001\xyz → \xyz |
| string upper(string s) |
Apply uppercase to a string in place. |
| string lower(string s) |
Apply lowercase to a string in place. |
| string getbasename(string filePath) |
Returns the base name of the supplied file path, for example, the portion after the last backslash. The whole string is returned if there is no backslash in the base name of the supplied file path. Examples: c:\windows\system32\etc\drivers\hosts → hosts hosts → hosts |
| bool iswhitelisted(md5digest digest) |
Determines whether the supplied hash is on one of the endpoint agent's whitelists. This function returns TRUE when the supplied hash: Is on a whitelist and whitelisting is enabled on the endpoint agent. Is on a whitelist and whitelisting is disabled on the endpoint agent. Is not on a whitelist and whitelisting is disabled on the endpoint agent. This function returns FALSE when the supplied hash: Is not on a whitelist and whitelisting is enabled. |
| threshold threshold_create (uint32 eventLimit , uint32 timePeriodMs) |
Initializes a threshold variable. eventLimit is the number of events that must be exceeded within timePeriodMs (milliseconds). For more information about threshold variables, see Using Threshold Variables. |
| bool threshold_increment (threshold t, uint64 timestamp, uint32 increment) bool threshold_increment (threshold t, uint64 timestamp, uint64 increment) |
Increments the event count for a threshold variable. Returns TRUE if the threshold has been exceeded, FALSE otherwise. For more information about threshold variables, see Using Threshold Variables. |
| bool timematch (uint64 timestamp, uint32 day_mask, time_range range) |
Performs time range matching. For more information about time range matching, see Using Time Range Matching. |
| uint64 getcurrenteventtimestamp() |
Returns the timestamp of the event being processed in the rule. |
| bool dnsmatch ( ipaddr ipAddress, string dnsName) bool dnsmatch ( ipaddr ipAddress, string dnsName[]) |
Checks for the mapping of an IP address to a DNS name in the namespace cache maintained by the endpoint agent. For usage examples, see Namespace Event Caching. |
| uint64 timediff(uint64 timestamp1, uint64 timestamp2) |
Calculate the absolute difference between two event timestamps in seconds. |
| uint64 runthreadheuristics(uint32 threadId) |
Examines a running thread on the system and returns a bit mask of interesting features. Currently the only bit supported in the bitmask is TH_PRIVATE_MEMORY, which indicates that the start address of the thread resides in a private memory allocation (i.e. a region of memory not backed by a file on disk non-file back memory. This can be indicative of the use of malicious code injection techniques. |
| uint64 getrulematchinteral() |
Returns the number of seconds since the currently executing rule last matched. This can be used to limit how frequently a rule will match. See Limiting the Frequency of Rule Match for more information |