Skip Navigation

Field operators

Field operators are the logical pieces of a rule that allow
CylanceOPTICS
to compare two values. If there are two or more operands, and they match the comparison criteria,
CylanceOPTICS
considers that portion of the defined function to be complete. When all pieces of the function are complete, the state is satisfied.
The field operators field is an object that consists of one or more conditional objects. These conditional objects can be set to any value; however, they must match the same conditional values that are referenced in the function field.
BlackBerry
recommends that these names are kept to simple and logical values, such as numbers or letters.
Field operator
Description
Base64Encoding
Base64
This field operator tokenizes a string and determines if any of the tokens match an operand. It also attempts to determine the type of string encoding (ASCII, UTF-7, UTF-8, UTF-16-LE, UTF-16-BE, UTF-32-LE, or UTF-32-BE). Without a BOM, the operator can reliably detect only UTF-8, UTF-16-LE, and UTF-16-BE. If all detections fail, the operator will default to the system's default code page.
Postive:
powershell.exe -ex bypass -e "ZwBlAHQALQBwAHIAbwBjAGUAcwBzAA==" equals ("get-process", )
Negative:
powershell.exe -ex bypass "ZwBlAHQALQBhAGwAaQBhAHMA" does not contain ("get-process", )
ContainsAll
This field operator determines if the specified operand contains all of the operands from a set.
Positive: "hello, I am a string" contains all from ("ello", "ng")
Negative: "hello, I am a string" does not contain all from ("hi", "ng")
ContainsAllWords
This field operator determines if the specified operand contains all of the operands from a set, where each set operand must appear as a whole word surrounded by white space, punctuation, or end or beginning string markers.
Positive: "hello, I am a string" contains all words from ("hello", "a", "string")
Negative: "hello, I am a string" does not contain all words from ("ello", "ng")
ContainsAny
Contains
This field operator determines if the specified operand contains any of the operands from a set.
Positive: "hello, I am a string" contains any from ("ello", "banana")
Negative: "hello, I am a string" does not contain any from ("hi", "banana")
ContainsAnyWord
ContainsWord
This field operator determines if the specified operand contains any of the operands from a set, where each set operand would have to appear as a whole word surrounded by white space, punctuation, or end or beginning string markers.
Positive: "hello, I am a string" contains any words from ("hello", "banana")
Negative: "hello, I am a string" does not contain any words from ("ello", "ng")
DamerauLevenshteinDistance
DLDistance
This field operator determines if the distance (the number of changes needed to turn one operand into another operand) is within an acceptable range, but allows for the transposition of adjacent symbols.
Positive: "cat" is within a Damerau-Levenshtein Distance of 1 from "bat"
Positive: "hello" is within a Damerau-Levenshtein Distance of 2 from "bell"
Positive: "ca" is within a Damerau-Levenshtein Distance of 3 from "abc"
Negative: "cart" is not within a Damerau-Levenshtein Distance of 1 from "act"
DiceCoefficient
Dice
This field operator determines the similarity between two sets or strings by the number of common bigrams (a pair of adjacent letters in the string). It determines if the result of the comparison falls between the "mincoefficient" and "maxcoefficient".
For example, comparing the process name "Test.exe" with "Tes.exe" would return 0.76923076923076927.
With "round" set to 2:
Positive: min: 0.5 < 0.77 < 0.8 max; not inclusive
Positive: min: 0.77 <= 0.77 <= 0.77 max; inclusive
Negative: min: 0.8 < 0.77 < 0.85 max; not inclusive
The "round" option will round the decimal place to the specified integer. For example, if "round" is set to 2, .6666666667 becomes .67.
EndsWithAny
EndsWith
This field operator determines if the specified left operand ends with the specified right operand.
Positive: "hello, I am a string" ends with "ring"
Negative: "hello, I am a string" does not end with "bring"
EqualsAny
Equals
This field operator determines if the specified operand equals exactly any of the operands from a set, where each set operand would have to appear as a number or a whole word surrounded by white space, punctuation, or end or beginning string markers.
Positive: 10 equals any from (10, 20, 30)
Positive: "hello" equals any from ("hello", "banana")
Negative: 100 does not equal any from (10, 20, 30)
Negative: "hello" does not equal any from ("ello", "ng")
GreaterThan
This field operator determines if the specified left operand is greater than the specified right operand.
Positive: 14.4 is greater than 10.1
Negative: 1 is not greater than 1000
GreaterThanOrEquals
This field operator determines if the specified left operand is greater than or equal to the specified right operand.
Positive: 14.4 is greater than or equal to 10.1
Negative: 1 is not greater than or equal to 1000
HammingDistance
This field operator determines the distance between two strings of equal length, which is the number of positions at which the corresponding symbols are different. It measures the minimum number of substitutions required to change one string into the other.
Positive: "cat" is within a Hamming Distance of 1 from "bat"
  • cat → bat(1)
Positive: "hello" is within a Hamming Distance of 2 from "bell"
  • hello → bello(1) → bell(2)
Positive: "ca" is within a Hamming Distance of 3 from "abc"
  • ca → aa(1) → ab(2) → abc(3)
Negative: "cart" is not within a Hamming Distance of 4 from "act"
  • cart → aart(1) → acrt(2) → actt(3) → act(4)
HexEncoding
This field operator tokenizes a string and determines if any of the tokens match an operand. It also attempts to determine the type of string encoding (ASCII, UTF-7, UTF-8, UTF-16-LE, UTF-16-BE, UTF-32-LE, UTF-32-BE). Without a BOM, it can reliably detect only UTF-8, UTF-16-LE, and UTF-16-BE. If all detections fail, the operand will default to the system's default code page.
Positive: "74657374" contains "test"
Negative: "696e76616c6964" does not contain "test"
InRange
This field operator determines if the specified middle operand is between the left and right operands.
Positive: 10 is between 1 and 20
Positive: 5.3 is between 5.3 and 20.1 (inclusive)
Negative: 4 is not between 5 and 10
Negative: 20 is not between 20 and 40 (exclusive)
IpIsInRange
IpRange
This field operator determines if the TargetNetworkConnection address (SourceAddress, DestinationAddress) is within the specified "min" and "max" options.
Allowed Operands are:
{ "Source": "TargetNetworkConnection", "Data": "SourceAddress" }
And:
{ "Source": "TargetNetworkConnection", "Data": "DestinationAddress" }
Example:
"FieldOperators": { "a": { "Type": "IpIsInRange", "OperandType": "IPAddres", "Options": { "min": "123.45.67.89", "max": "123.45.67.255" }, "Operands": [ { "Source": "TargetNetworkConnection", "Data": "DestAddr" } ] } }
Include the following filters object with the above example to output the network traffic:
"Filters": [ { "Type": "Event", "Data": { "Category": "Network", "SubCategory": "*", "Type": "Connect" } } ]
IsFlagSet
This field operator checks if a bit or bits in a bitmask are set. It can use base-10 or base-16 (using the "0x" prefix) for the comparison value.
Positive: 0x10 is set for 0x4111
Positive: 3 is set for 0x7
Negative: 0x3 is not set for 0x4
Negative: 2 is not set for 0x5
IsHomoglyph
This field operator determines if the left operand is a homoglyph of the right operand. For example, a US Latin 1 "e" and a French "e" appear to be the same character and have the same meaning, but they have different values.
Positive: "3xplor3" is a homoglyph of "explore" with 100% certainty
Positive: "3xplord" is a homoglyph of "explore" with 90% certainty
Negative: "temp" is not a homoglyph of "temp" because these are the same string
Negative: "431" is not a homoglyph of "big" because these share no transitive characteristics
IsNullOrEmpty
This field operator determines if the specified operand is null or empty.
Positive: <null> is null or empty
Positive: "" is null or empty
Positive: " " is null or empty
Negative: "Hello" is not null or empty
IsPopulated
Exists
HasContent
This field operator determines if the specified operand is not null or empty.
Positive: "Hello" is not null or empty
Negative: <null> is null or empty
Negative: "" is null or empty
Negative: " " is null or empty
IsTrue
This field operator determines if the specified value is true.
Positive: TriState.True
Negative: TriState.False
Negative: TriState.Unknown
LessThan
This field operator determines if the specified left operand is less than the specified right operand.
Positive: 4.4 is less than 10.1
Negative: 1000 is not less than 1
LessThanOrEquals
This field operator determines if the specified left operand is less than or equal to the specified right operand.
Positive: 4.4 is less than or equal to 10.1
Positive: 14 is less than or equal to 14
Negative: 1000 is not less than or equal to 1
LevenshteinDistance
This field operator determines if the distance, the number of changes needed to turn one operand into another operand, is within an acceptable range.
Positive: "cat" is within a Levenshtein Distance of 1 from "bat"
Positive: "hello" is within a Levenshtein Distance of 3 from "bell"
Negative: "cart" is not within a Levenshtein Distance of 1 from "act"
LongestCommonSubsequence
This field operator compares a fixed left operand with a set of right operands and determines the longest subsequence in each comparison. It compares the result count to min and max values to determine if the result is within an acceptable range.
Comparing "aggtab" and "gxtxayb":
Positive: "gtab" is the longest sequence. If the min is 1 and max is 10, this falls within an acceptable range.
Negative: Using the previous example, if the min was 5 and the max was 10, this would not fall within an acceptable range.
LongestCommonSubstring
This field operator compares the left and right operands and returns a count of the longest found substring.
Comparing "ababc" and "abcdaba":
Positive: "aba" and "abc" are two results of the same size in "abcdaba" and would return the longest substring as 3.
Negative: If the mindistance and the maxdistance was set to 4, this would be larger than the longest substring found.
Comparing "ababcd" and "abcdaba":
Postive: "abcd" is the longest substring found.
MatchOnFilter
NoOp
This field operator indicates that no operations are being performed and that the state simply matches if the filter finds a corresponding event.
RegexMatches
This field operator determines if the specified operand conforms to a regular expression.
Positive: "hello, I am a string" conforms to "^hello, [Ii] am [aA] string$"
Negative: "hello, I am a string" does not conform to "^[hi|hey], I am a string$"
ShannonEntropy
This field operator determines the measure of unpredictability of state, or its average information content when comparing a single operand.
Postive: "abc" calculates to 1.5849625007211561 and falls within the range of 1.55 and 1.6.
Negative: "Z2V0LXByb2Nlc3M=" calculates to 3.875 and does not fall within the range of 1.55 and 1.6.
StartsWithAny
StartsWith
This field operator determines if the specified left operand starts with the specified right operand.
Positive: "hello, I am a string" starts with "hello, I"
Negative: "hello, I am a string" does not start with "help"