Rule syntax

Every rule set consists of at least one rule group.

Rule groups act as a namespace to partition variable declarations and also allow you to logically organize rules that can contain one or more rules. The simplest rule group and rule look like this.

rulegroup <name>
‎{
‎ <action> when <expression>;
‎ ...
‎};

Each rule specifies an action (alert, block, suppress, forward, isolate, set) followed by an expression. A simple rule example is a rule that blocks execution based on the file name.

rulegroup BlockCalc
‎{
‎ block when strstr(process.path, "calc.exe", false);
‎};

The stristr function performs a case-insensitive search for the string "calc.exe" inside the attribute value process.path. Rules are made more complex by linking multiple attribute comparisons with the logical conjunctions AND and OR. All language keywords are case insensitive. 

The following rule sends alerts to the server in response to remote logins to the endpoint using an account name containing "admin" or "root".

rulegroup AdminLogin
‎{
‎ alert when session.event == SESSION_LOGON and

session.type == SESSION_TYPE_REMOTE and

strcmp(session.username,"admin",false);
‎};

Rules can be annotated with metadata. For example, everything to the right of a number sign (“#”) is treated as a comment and ignored by the compiler.

#
‎# Rules relating to admin logins
‎#

rulegroup AdminLogin
‎{

‎ # This rule generates an alert when a remote login

# occurs using the username "admin".
‎ alert when session.event == SESSION_LOGON and

session.type == SESSION_TYPE_REMOTE and

strcmp(session.username,"admin",false);
‎};

Rule annotation helps to document rule behavior and is used by the Nuix Adaptive Security application when displaying data for rule matches. For more information about rule annotation, see Rule Annotation.