Skip Navigation

Field operators

Field operators are the logical pieces of a rule that allow
Optics
to compare two values. If there are two or more operands, and they match the comparison criteria,
Optics
considers that portion of the defined function to be complete. When all pieces of the function are complete, the state is satisfied.
The field operators field is an object that consists of one or more conditional objects. These conditional objects can be set to any value; however, they must match the same conditional values that are referenced in the function field.
BlackBerry
recommends that these names are kept to simple and logical values, such as numbers or letters.
Field operator
Description
ContainsAll
This field operator determines if the specified operand contains all of the operands from a set.
Positive: "hello, I am a string" contains all from ("ello", "ng")
Negative: "hello, I am a string" does not contain all from ("hi", "ng")
ContainsAllWords
This field operator determines if the specified operand contains all of the operands from a set, where each set operand must appear as a whole word surrounded by white space, punctuation, or end or beginning string markers.
Positive: "hello, I am a string" contains all words from ("hello", "a", "string")
Negative: "hello, I am a string" does not contain all words from ("ello", "ng")
Contains
This field operator determines if the specified operand contains any of the operands from a set.
Positive: "hello, I am a string" contains any from ("ello", "banana")
Negative: "hello, I am a string" does not contain any from ("hi", "banana")
ContainsWord
This field operator determines if the specified operand contains any of the operands from a set, where each set operand would have to appear as a whole word surrounded by white space, punctuation, or end or beginning string markers.
Positive: "hello, I am a string" contains any words from ("hello", "banana")
Negative: "hello, I am a string" does not contain any words from ("ello", "ng")
EndsWith
This field operator determines if the specified left operand ends with the specified right operand.
Positive: "hello, I am a string" ends with "ring"
Negative: "hello, I am a string" does not end with "bring"
Equals
This field operator determines if the specified operand equals exactly any of the operands from a set, where each set operand would have to appear as a number or a whole word surrounded by white space, punctuation, or end or beginning string markers.
Positive: 10 equals any from (10, 20, 30)
Positive: "hello" equals any from ("hello", "banana")
Negative: 100 does not equal any from (10, 20, 30)
Negative: "hello" does not equal any from ("ello", "ng")
GreaterThan
This field operator determines if the specified left operand is greater than the specified right operand.
Positive: 14.4 is greater than 10.1
Negative: 1 is not greater than 1000
GreaterThanOrEquals
This field operator determines if the specified left operand is greater than or equal to the specified right operand.
Positive: 14.4 is greater than or equal to 10.1
Negative: 1 is not greater than or equal to 1000
InRange
This field operator determines if the specified middle operand is between the left and right operands.
Positive: 10 is between 1 and 20
Positive: 5.3 is between 5.3 and 20.1 (inclusive)
Negative: 4 is not between 5 and 10
Negative: 20 is not between 20 and 40 (exclusive)
IpIsInRange
This field operator determines if the TargetNetworkConnection address (SourceAddress, DestinationAddress) is within the specified "min" and "max" options.
Allowed Operands are:
{ "Source": "TargetNetworkConnection", "Data": "SourceAddress" }
And:
{ "Source": "TargetNetworkConnection", "Data": "DestinationAddress" }
Example:
"FieldOperators": { "a": { "Type": "IpIsInRange", "OperandType": "IPAddres", "Options": { "min": "123.45.67.89", "max": "123.45.67.255" }, "Operands": [ { "Source": "TargetNetworkConnection", "Data": "DestAddr" } ] } }
Include the following filters object with the above example to output the network traffic:
"Filters": [ { "Type": "Event", "Data": { "Category": "Network", "SubCategory": "*", "Type": "Connect" } } ]
IsHomoglyph
This field operator determines if the left operand is a homoglyph of the right operand. For example, a US Latin 1 "e" and a French "e" appear to be the same character and have the same meaning, but they have different values.
Positive: "3xplor3" is a homoglyph of "explore" with 100% certainty
Positive: "3xplord" is a homoglyph of "explore" with 90% certainty
Negative: "temp" is not a homoglyph of "temp" because these are the same string
Negative: "431" is not a homoglyph of "big" because these share no transitive characteristics
IsNullOrEmpty
This field operator determines if the specified operand is null or empty.
Positive: <null> is null or empty
Positive: "" is null or empty
Positive: " " is null or empty
Negative: "Hello" is not null or empty
IsPopulated
This field operator determines if the specified operand is not null or empty.
Positive: "Hello" is not null or empty
Negative: <null> is null or empty
Negative: "" is null or empty
Negative: " " is null or empty
IsTrue
This field operator determines if the specified value is true.
Positive: TriState.True
Negative: TriState.False
Negative: TriState.Unknown
LessThan
This field operator determines if the specified left operand is less than the specified right operand.
Positive: 4.4 is less than 10.1
Negative: 1000 is not less than 1
LessThanOrEquals
This field operator determines if the specified left operand is less than or equal to the specified right operand.
Positive: 4.4 is less than or equal to 10.1
Positive: 14 is less than or equal to 14
Negative: 1000 is not less than or equal to 1
LevenshteinDistance
This field operator determines if the distance, the number of changes needed to turn one operand into another operand, is within an acceptable range.
Positive: "cat" is within a Levenshtein Distance of 1 from "bat"
Positive: "hello" is within a Levenshtein Distance of 3 from "bell"
Negative: "cart" is not within a Levenshtein Distance of 1 from "act"
RegexMatches
This field operator determines if the specified operand conforms to a regular expression.
Positive: "hello, I am a string" conforms to "^hello, [Ii] am [aA] string$"
Negative: "hello, I am a string" does not conform to "^[hi|hey], I am a string$"
StartsWith
This field operator determines if the specified left operand starts with the specified right operand.
Positive: "hello, I am a string" starts with "hello, I"
Negative: "hello, I am a string" does not start with "help"