Field operators
Field operators are the logical pieces of a rule that allow
CylanceOPTICS
to compare two values. If there are two or more operands, and they match the comparison criteria, CylanceOPTICS
considers that portion of the defined function to be complete. When all pieces of the function are complete, the state is satisfied.The field operators field is an object that consists of one or more conditional objects. These conditional objects can be set to any value; however, they must match the same conditional values that are referenced in the function field.
BlackBerry
recommends that these names are kept to simple and logical values, such as numbers or letters.Field operator | Description |
---|---|
Base64Encoding Base64 | This field operator tokenizes a string and determines if any of the tokens match an operand. It also attempts to determine the type of string encoding (ASCII, UTF-7, UTF-8, UTF-16-LE, UTF-16-BE, UTF-32-LE, or UTF-32-BE). Without a BOM, the operator can reliably detect only UTF-8, UTF-16-LE, and UTF-16-BE. If all detections fail, the operator will default to the system's default code page. Postive: powershell.exe -ex bypass -e "ZwBlAHQALQBwAHIAbwBjAGUAcwBzAA==" equals ("get-process", ) Negative: powershell.exe -ex bypass "ZwBlAHQALQBhAGwAaQBhAHMA" does not contain ("get-process", ) |
ContainsAll | This field operator determines if the specified operand contains all of the operands from a set. Positive: "hello, I am a string" contains all from ("ello", "ng") Negative: "hello, I am a string" does not contain all from ("hi", "ng") |
ContainsAllWords | This field operator determines if the specified operand contains all of the operands from a set, where each set operand must appear as a whole word surrounded by white space, punctuation, or end or beginning string markers. Positive: "hello, I am a string" contains all words from ("hello", "a", "string") Negative: "hello, I am a string" does not contain all words from ("ello", "ng") |
ContainsAny Contains | This field operator determines if the specified operand contains any of the operands from a set. Positive: "hello, I am a string" contains any from ("ello", "banana") Negative: "hello, I am a string" does not contain any from ("hi", "banana") |
ContainsAnyWord ContainsWord | This field operator determines if the specified operand contains any of the operands from a set, where each set operand would have to appear as a whole word surrounded by white space, punctuation, or end or beginning string markers. Positive: "hello, I am a string" contains any words from ("hello", "banana") Negative: "hello, I am a string" does not contain any words from ("ello", "ng") |
DamerauLevenshteinDistance DLDistance | This field operator determines if the distance (the number of changes needed to turn one operand into another operand) is within an acceptable range, but allows for the transposition of adjacent symbols. Positive: "cat" is within a Damerau-Levenshtein Distance of 1 from "bat" Positive: "hello" is within a Damerau-Levenshtein Distance of 2 from "bell" Positive: "ca" is within a Damerau-Levenshtein Distance of 3 from "abc" Negative: "cart" is not within a Damerau-Levenshtein Distance of 1 from "act" |
DiceCoefficient Dice | This field operator determines the similarity between two sets or strings by the number of common bigrams (a pair of adjacent letters in the string). It determines if the result of the comparison falls between the "mincoefficient" and "maxcoefficient". For example, comparing the process name "Test.exe" with "Tes.exe" would return 0.76923076923076927. With "round" set to 2: Positive: min: 0.5 < 0.77 < 0.8 max; not inclusive Positive: min: 0.77 <= 0.77 <= 0.77 max; inclusive Negative: min: 0.8 < 0.77 < 0.85 max; not inclusive The "round" option will round the decimal place to the specified integer. For example, if "round" is set to 2, .6666666667 becomes .67. |
EndsWithAny EndsWith | This field operator determines if the specified left operand ends with the specified right operand. Positive: "hello, I am a string" ends with "ring" Negative: "hello, I am a string" does not end with "bring" |
EqualsAny Equals | This field operator determines if the specified operand equals exactly any of the operands from a set, where each set operand would have to appear as a number or a whole word surrounded by white space, punctuation, or end or beginning string markers. Positive: 10 equals any from (10, 20, 30) Positive: "hello" equals any from ("hello", "banana") Negative: 100 does not equal any from (10, 20, 30) Negative: "hello" does not equal any from ("ello", "ng") |
GreaterThan | This field operator determines if the specified left operand is greater than the specified right operand. Positive: 14.4 is greater than 10.1 Negative: 1 is not greater than 1000 |
GreaterThanOrEquals | This field operator determines if the specified left operand is greater than or equal to the specified right operand. Positive: 14.4 is greater than or equal to 10.1 Negative: 1 is not greater than or equal to 1000 |
HammingDistance | This field operator determines the distance between two strings of equal length, which is the number of positions at which the corresponding symbols are different. It measures the minimum number of substitutions required to change one string into the other. Positive: "cat" is within a Hamming Distance of 1 from "bat"
Positive: "hello" is within a Hamming Distance of 2 from "bell"
Positive: "ca" is within a Hamming Distance of 3 from "abc"
Negative: "cart" is not within a Hamming Distance of 4 from "act"
|
HexEncoding | This field operator tokenizes a string and determines if any of the tokens match an operand. It also attempts to determine the type of string encoding (ASCII, UTF-7, UTF-8, UTF-16-LE, UTF-16-BE, UTF-32-LE, UTF-32-BE). Without a BOM, it can reliably detect only UTF-8, UTF-16-LE, and UTF-16-BE. If all detections fail, the operand will default to the system's default code page. Positive: "74657374" contains "test" Negative: "696e76616c6964" does not contain "test" |
InRange | This field operator determines if the specified middle operand is between the left and right operands. Positive: 10 is between 1 and 20 Positive: 5.3 is between 5.3 and 20.1 (inclusive) Negative: 4 is not between 5 and 10 Negative: 20 is not between 20 and 40 (exclusive) |
IpIsInRange IpRange | This field operator determines if the TargetNetworkConnection address (SourceAddress, DestinationAddress) is within the specified "min" and "max" options. Allowed Operands are:
And:
Example:
Include the following filters object with the above example to output the network traffic:
|
IsFlagSet | This field operator checks if a bit or bits in a bitmask are set. It can use base-10 or base-16 (using the "0x" prefix) for the comparison value. Positive: 0x10 is set for 0x4111 Positive: 3 is set for 0x7 Negative: 0x3 is not set for 0x4 Negative: 2 is not set for 0x5 |
IsHomoglyph | This field operator determines if the left operand is a homoglyph of the right operand. For example, a US Latin 1 "e" and a French "e" appear to be the same character and have the same meaning, but they have different values. Positive: "3xplor3" is a homoglyph of "explore" with 100% certainty Positive: "3xplord" is a homoglyph of "explore" with 90% certainty Negative: "temp" is not a homoglyph of "temp" because these are the same string Negative: "431" is not a homoglyph of "big" because these share no transitive characteristics |
IsNullOrEmpty | This field operator determines if the specified operand is null or empty. Positive: <null> is null or empty Positive: "" is null or empty Positive: " " is null or empty Negative: "Hello" is not null or empty |
IsPopulated Exists HasContent | This field operator determines if the specified operand is not null or empty. Positive: "Hello" is not null or empty Negative: <null> is null or empty Negative: "" is null or empty Negative: " " is null or empty |
IsTrue | This field operator determines if the specified value is true. Positive: TriState.True Negative: TriState.False Negative: TriState.Unknown |
LessThan | This field operator determines if the specified left operand is less than the specified right operand. Positive: 4.4 is less than 10.1 Negative: 1000 is not less than 1 |
LessThanOrEquals | This field operator determines if the specified left operand is less than or equal to the specified right operand. Positive: 4.4 is less than or equal to 10.1 Positive: 14 is less than or equal to 14 Negative: 1000 is not less than or equal to 1 |
LevenshteinDistance | This field operator determines if the distance, the number of changes needed to turn one operand into another operand, is within an acceptable range. Positive: "cat" is within a Levenshtein Distance of 1 from "bat" Positive: "hello" is within a Levenshtein Distance of 3 from "bell" Negative: "cart" is not within a Levenshtein Distance of 1 from "act" |
LongestCommonSubsequence | This field operator compares a fixed left operand with a set of right operands and determines the longest subsequence in each comparison. It compares the result count to min and max values to determine if the result is within an acceptable range. Comparing "aggtab" and "gxtxayb": Positive: "gtab" is the longest sequence. If the min is 1 and max is 10, this falls within an acceptable range. Negative: Using the previous example, if the min was 5 and the max was 10, this would not fall within an acceptable range. |
LongestCommonSubstring | This field operator compares the left and right operands and returns a count of the longest found substring. Comparing "ababc" and "abcdaba": Positive: "aba" and "abc" are two results of the same size in "abcdaba" and would return the longest substring as 3. Negative: If the mindistance and the maxdistance was set to 4, this would be larger than the longest substring found. Comparing "ababcd" and "abcdaba": Postive: "abcd" is the longest substring found. |
MatchOnFilter NoOp | This field operator indicates that no operations are being performed and that the state simply matches if the filter finds a corresponding event. |
RegexMatches | This field operator determines if the specified operand conforms to a regular expression. Positive: "hello, I am a string" conforms to "^hello, [Ii] am [aA] string$" Negative: "hello, I am a string" does not conform to "^[hi|hey], I am a string$" |
ShannonEntropy | This field operator determines the measure of unpredictability of state, or its average information content when comparing a single operand. Postive: "abc" calculates to 1.5849625007211561 and falls within the range of 1.55 and 1.6. Negative: "Z2V0LXByb2Nlc3M=" calculates to 3.875 and does not fall within the range of 1.55 and 1.6. |
StartsWithAny StartsWith | This field operator determines if the specified left operand starts with the specified right operand. Positive: "hello, I am a string" starts with "hello, I" Negative: "hello, I am a string" does not start with "help" |