Logical Operations

Some parameters are available to all logical operations. "not": true: will reverse the matching outcome of an operations. "case sensitive": false: will turn all string-based evaluations to ignore case.

A recurring parameter also found in many operations is the "path": <> parameter. It represents a path within the event being evaluated for which we want the value. Its structure is very close to a directory structure. It supports the * wildcard to represent 0 or many number of directories as well as the ? wildcard that represents exactly one directory.

The root of the path should be event or routing depending on whether you want to get a value from the event itself or the routing instead. 


{ "op": "is", "path": "event/PARENT/PROCESS_ID", "value": 9999 }

Note that many comparison values support a special "lookback" format. That is, an operation that supports comparing a value to a literal like "system32", can also support a value of "<<event/PARENT/FILE_PATH>>". When that value is surrounded by "<<" and ">>", the value located in between will be interpreted as a path within the event and the value at that path will replace the "<<...>>" value. This allows you to "look back" at the event and use values within for your rule.

For example, this sample JSON event:

{ "USER_ID": 501, "PARENT": { "USER_ID": 501, "COMMAND_LINE": "/Applications/Sublime Text.app/Contents/MacOS/plugin_host 71954", "PROCESS_ID": 71955, "USER_NAME": "maxime", "FILE_PATH": "/Applications/Sublime Text.app/Contents/MacOS/plugin_host", "PARENT_PROCESS_ID": 71954, "DEEP_HASH": { "HASH_VALUE": "ufs8f8hfinsfd9sfdsf" } }, "PROCESS_ID": 23819, "FILE_PATH": "/Applications/Xcode.app/Contents/Developer/usr/bin/git", "PARENT_PROCESS_ID": 71955 }

Referencing the example above, the following paths are presented with their resulting element: event/USER_ID results in 501 event/?/USER_NAME results in "maxime". event/PARENT/PROCESS_ID results in 71955 event/*/HASH_VALUE results in ufs8f8hfinsfd9sfdsf

and, or

The standard logical boolean operations to combine other logical operations. Take a single "rules" : [] parameter with the logical operations to apply the boolean logic to.

{ "op": "and", "rules" : [ { "op": "is linux", "event": "STARTING_UP" }, { "op" : "is tagged", "tag": "test_tag" } ] }


Tests for equality between the value of the "value": <> parameter and the value found in the event at the "path": <> parameter.


{ "op": "is", "path": "event/PARENT/PROCESS_ID", "value": 9999 }

contains, ends with, starts with

The contains checks for a substring match, starts with checks for a prefix match and ends with checks for a suffix match.

They all use the path and value parameters.

is greater than, is lower than

Check to see if a value is greater, or lower (numerically) than a value in the event.

They both use the path and value parameters. They also both support the length of parameter as a boolean (true or false). If set to true, instead of comparing the value at the specified path, it compares the length of the value at the specified path.


The matches op compares the value at path with a regular expression supplied in the re parameter. Under the hood, this uses the Python 2.7 re module with findall, which means the regular expression is applied to every line of the field (if the field is multi-line), which enables you to apply the regexp to log files.


{ "op": "matches", "path": "event/FILE_PATH", "re": ".*\\\\system32\\\\.*\\.scr", "case sensitive": false }

is windows, is linux, is mac, is 32 bit, is 64 bit

All of these operators take no additional arguments, they simply match if the relevant sensor characteristic is correct.

is tagged

Determines if the tag supplied in the tag parameter is already associated with the sensor that the event under evaluation is from.


Looks up a value against a LimaCharlie Resource like a threat feed. The value is supplied via the path parameter and the resource path is defined in the resource parameter. Resources are of the form lcr:///. In order to access a resource you must have subscribed to it via app.limacharlie.io.


{ "op": "lookup", "path": "event/DOMAIN_NAME", "resource": "lcr://lookup/malwaredomains", "case sensitive": false }