Skip to main content
Sumo Logic

CSE Rules Syntax

Learn about the functions you can use when writing CSE Rules.

This topic describes commonly used CSE rules language functions. Rules language functions are used in CSE rule expressions. For information about rules and rule expressions, see About CSE Rules.

!

Description: The exclamation point (!) function is a logical NOT operator.

Example: The following expression returns “true” if the value of the device_ip  is not “0.0.0.0”.

device_ip != '0.0.0.0'

-

Description: The dash (-) function is a subtraction operator.

The following expression returns the difference between the length of the dns_query and the dns_queryDomain field values. 

(length(dns_query) - length(dns_queryDomain)) 

/

Description: The forward slash (/) operator performs floating-point division between two expressions. 

Syntax:

expr1 / expr2

Example:

The following expression divides error_count by user_count.

error_count / user_count

<

Description: The less than (<) character returns “true” if the expression is less than the other expression.

Syntax:

expr1 < expr2

Example:

In the following example, the result is “true” if the value of the srcPort field is less than the value of the dstPort field.

srcPort < dstPort

<=

Description: The is less than or equal to (<=) character returns true if the expression is less than or equal to the other expression.

Syntax:

srcPort <= dstPort

Example:

This expression is “true” if the value of dstPort is less or equal to  than “6669”.

dstPort <= 6669

< = >

Description: The operator < = > returns the same result as the EQUAL(=) operator for non-null operands, but returns “true” if both are null, “false" if one of them is null.

=

Description: The equal to (=) function returns “true” if the expressions are equal.

Syntax:

expr1 = expr2 

Example:

The following example returns “true” if the value of the metadata_vendor field is “Mimecast”.

metadata_vendor = 'Mimecast'

==

Description: The double equal sign (==) function returns “true” if the two expressions are equal. The two expressions must be the same type, and must be a type that can be used in an equality comparison. For complex types such as array and struct, the data types of fields must be orderable.

Syntax:

expr1 == expr2 

>

Description: The greater than (>) function returns “true” if one expression is greater than the other expression.

Syntax:

expr1 > expr2 

Example:

The following example returns “true” if the value of the severity field is greater than 6.

severity > '6' 

>=

Description: The greater than or equal to (>=) function returns “true” if one expression is greater than or equal to another expression.

Syntax:

expr1 >= expr2 

Example:

The following expression is “true” if the value of the srcPort field is greater than or equal to  the value of the dstPort field.

srcPort >= dstPort

+

Description: The plus sign (+) function adds the value of two or more expressions.

expr1 + expr2 

Example:

The following example adds the value of the errorCount_x  field to the value of the errorCount_y  field.

errorCount_x + errorCount_y

*

Description: The asterisk (*) returns the  product  of two expressions.

Syntax: 

expr1 *  expr2

array_contains

Description: Returns “true” if a specified array contains a particular value. 

The array_contains function is used in CSE rules to check for the existence of a specific value in a Record’s listMatches field in a Match List. For more information, see Match Lists in the About CSE Rules topic.

Syntax:

The syntax for checking for the existence of a Match List name in a Record’s listMatches field is: 

array_contains(listMatches, 'match_list_name')

Example:

This example checks to see if the listMatches field contains the value “vuln_scanners” (the name of a CSE Match List). 

array_contains(listMatches, 'vuln_scanners')

between

Description: Returns “true” if the value of an expression falls within a specified range. 

Syntax:

expr between value1 and value2

Example:

This example returns “true” if the value of the  metadata_deviceEventId is between “2000000” and “2999999”:

metadata_deviceEventId between '2000000' and '2999999'

length

Description. Returns the character length of string data or number of bytes of binary data. The length of string data includes the trailing spaces. The length of binary data includes binary zeros.

Syntax:

length(expr) 

Example:

This example returns the length of  the value of the dns_query  field.

length(dns_query)

like

Description: Compares a string to a pattern, and returns “true” if the string matches the pattern, null if any arguments are null, and “false” otherwise. Patterns can contain regular characters as well as wildcards. Wildcard characters can be escaped using the single character specified for the ESCAPE parameter. Matching is case sensitive.

Syntax: 

str like pattern [ ESCAPE 'escape_character' ]

If pattern or escape_character is null, the expression evaluates to null.

Example:

In the following example, the string '%SystemDrive%\Users\John' has to match the pattern '\%SystemDrive\%\\Users%' to return “true”.

'%SystemDrive%\Users\John' like '\%SystemDrive\%\\Users%'
 

where:

  • str is a string expression
  • pattern is a string expression, which is matched literally, except for the following wildcard symbols:

    _ represents a single character 

    % Represents zero, one, or multiple characters
     

Example:

This example returns “true” if the value of the bro_rdp_cookie field matches %admin%.

bro_rdp_cookie like '%admin%' 

rlike

Description: The rlike function returns “true” if a string matches a specified regular expression. If there is no match, the function returns “false”, The syntax is:

str rlike regexp

where:

  • str is a string expression.
  • regexp is zJava regular expression.

Example:

This example returns “true” of the value of the dns_query field matches the regular expression [A-Za-z2-7]{60,}.

dns_query rlike '[A-Za-z2-7]{60,}'