[[eql-function-ref]] == EQL function reference ++++ Function reference ++++ experimental::[] {es} supports the following EQL functions: * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> [discrete] [[eql-fn-between]] === `between` Extracts a substring that's between a provided `left` and `right` text in a source string. [%collapsible] ==== *Example* [source,eql] ---- // file.path = "C:\\Windows\\System32\\cmd.exe" between(file.path, "system32\\\\", ".exe") // returns "cmd" between(file.path, "workspace\\\\", ".exe") // returns "" // Greedy matching defaults to false. between(file.path, "\\\\", "\\\\", false) // returns "Windows" // Sets greedy matching to true between(file.path, "\\\\", "\\\\", true) // returns "Windows\\System32" // Case sensitivity defaults to false. between(file.path, "system32\\\\", ".exe", false, false) // returns "cmd" // Sets case sensitivity to true between(file.path, "system32\\\\", ".exe", false, true) // returns "" between(file.path, "System32\\\\", ".exe", false, true) // returns "cmd" // empty source string between("", "system32\\\\", ".exe") // returns "" between("", "", "") // returns "" // null handling between(null, "system32\\\\", ".exe") // returns null ---- *Syntax* [source,txt] ---- between(, , [, , ]) ---- *Parameters* ``:: + -- (Required, string or `null`) Source string. Empty strings return an empty string (`""`), regardless of the `` or `` parameters. If `null`, the function returns `null`. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field Fields containing <> use the first array item only. -- ``:: + -- (Required, string) Text to the left of the substring to extract. This text should include whitespace. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field <> are not supported. -- ``:: + -- (Required, string) Text to the right of the substring to extract. This text should include whitespace. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field <> are not supported. -- ``:: (Optional, boolean) If `true`, match the longest possible substring, similar to `.*` in regular expressions. If `false`, match the shortest possible substring, similar to `.*?` in regular expressions. Defaults to `false`. ``:: (Optional, boolean) If `true`, matching is case-sensitive. Defaults to `false`. *Returns:* string or `null` ==== [discrete] [[eql-fn-cidrmatch]] === `cidrMatch` Returns `true` if an IP address is contained in one or more provided https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing[CIDR] blocks. [%collapsible] ==== *Example* [source,eql] ---- // source.address = "192.168.152.12" cidrMatch(source.address, "192.168.0.0/16") // returns true cidrMatch(source.address, "192.168.0.0/16", "10.0.0.0/8") // returns true cidrMatch(source.address, "10.0.0.0/8") // returns false cidrMatch(source.address, "10.0.0.0/8", "10.128.0.0/9") // returns false // null handling cidrMatch(null, "10.0.0.0/8") // returns null cidrMatch(source.address, null) // returns null ---- *Syntax* [source,txt] ---- `cidrMatch(, [, ...])` ---- *Parameters* ``:: (Required, string or `null`) IP address. Supports https://en.wikipedia.org/wiki/IPv4[IPv4] and https://en.wikipedia.org/wiki/IPv6[IPv6] addresses. If `null`, the function returns `null`. + If using a field as the argument, this parameter supports only the <> field datatype. ``:: (Required{multi-arg}, string or `null`) CIDR block you wish to search. If `null`, the function returns `null`. *Returns:* boolean or `null` ==== [discrete] [[eql-fn-concat]] === `concat` Returns a concatenated string of provided values. [%collapsible] ==== *Example* [source,eql] ---- concat("process is ", "regsvr32.exe") // returns "process is regsvr32.exe" concat("regsvr32.exe", " ", 42) // returns "regsvr32.exe 42" concat("regsvr32.exe", " ", 42.5) // returns "regsvr32.exe 42.5" concat("regsvr32.exe", " ", true) // returns "regsvr32.exe true" concat("regsvr32.exe") // returns "regsvr32.exe" // process.name = "regsvr32.exe" concat(process.name, " ", 42) // returns "regsvr32.exe 42" concat(process.name, " ", 42.5) // returns "regsvr32.exe 42.5" concat("process is ", process.name) // returns "process is regsvr32.exe" concat(process.name, " ", true) // returns "regsvr32.exe true" concat(process.name) // returns "regsvr32.exe" // process.arg_count = 4 concat(process.name, " ", process.arg_count) // returns "regsvr32.exe 4" // null handling concat(null, "regsvr32.exe") // returns null concat(process.name, null) // returns null concat(null) // returns null ---- *Syntax* [source,txt] ---- concat([, ]) ---- *Parameters* ``:: (Required{multi-arg-ref}) Value to concatenate. If any of the arguments are `null`, the function returns `null`. + If using a field as the argument, this parameter does not support the <> field datatype. *Returns:* string or `null` ==== [discrete] [[eql-fn-endswith]] === `endsWith` Returns `true` if a source string ends with a provided substring. [%collapsible] ==== *Example* [source,eql] ---- endsWith("regsvr32.exe", ".exe") // returns true endsWith("regsvr32.exe", ".dll") // returns false endsWith("", "") // returns true // file.name = "regsvr32.exe" endsWith(file.name, ".exe") // returns true endsWith(file.name, ".dll") // returns false // file.extension = ".exe" endsWith("regsvr32.exe", file.extension) // returns true endsWith("ntdll.dll", file.name) // returns false // file.name = [ "ntdll.dll", "regsvr32.exe" ] endsWith(file.name, ".dll") // returns true endsWith(file.name, ".exe") // returns false // null handling endsWith("regsvr32.exe", null) // returns null endsWith("", null) // returns null endsWith(null, ".exe") // returns null endsWith(null, null) // returns null ---- *Syntax* [source,txt] ---- endsWith(, ) ---- *Parameters* ``:: + -- (Required, string or `null`) Source string. If `null`, the function returns `null`. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field Fields containing <> use the first array item only. -- ``:: + -- (Required, string or `null`) Substring to search for. If `null`, the function returns `null`. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field -- *Returns:* boolean or `null` ==== [discrete] [[eql-fn-indexof]] === `indexOf` Returns the first position of a provided substring in a source string. If an optional start position is provided, this function returns the first occurrence of the substring at or after the start position. [%collapsible] ==== *Example* [source,eql] ---- // url.domain = "subdomain.example.com" indexOf(url.domain, ".") // returns 9 indexOf(url.domain, ".", 9) // returns 9 indexOf(url.domain, ".", 10) // returns 17 indexOf(url.domain, ".", -6) // returns 9 // empty strings indexOf("", "") // returns 0 indexOf(url.domain, "") // returns 0 indexOf(url.domain, "", 9) // returns 9 indexOf(url.domain, "", 10) // returns 10 indexOf(url.domain, "", -6) // returns 0 // missing substrings indexOf(url.domain, "z") // returns null indexOf(url.domain, "z", 9) // returns null // start position is higher than string length indexOf(url.domain, ".", 30) // returns null // null handling indexOf(null, ".", 9) // returns null indexOf(url.domain, null, 9) // returns null indexOf(url.domain, ".", null) // returns null ---- *Syntax* [source,txt] ---- indexOf(, [, ]) ---- *Parameters* ``:: + -- (Required, string or `null`) Source string. If `null`, the function returns `null`. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field -- ``:: + -- (Required, string or `null`) Substring to search for. If this argument is `null` or the `` string does not contain this substring, the function returns `null`. If the `` is positive, empty strings (`""`) return the ``. Otherwise, empty strings return `0`. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field -- ``:: + -- (Optional, integer or `null`) Starting position for matching. The function will not return positions before this one. Defaults to `0`. Positions are zero-indexed. Negative offsets are treated as `0`. If this argument is `null` or higher than the length of the `` string, the function returns `null`. If using a field as the argument, this parameter supports only the following <> field datatypes: * `long` * `integer` * `short` * `byte` -- *Returns:* integer or `null` ==== [discrete] [[eql-fn-length]] === `length` Returns the character length of a provided string, including whitespace and punctuation. [%collapsible] ==== *Example* [source,eql] ---- length("explorer.exe") // returns 12 length("start explorer.exe") // returns 18 length("") // returns 0 length(null) // returns null // process.name = "regsvr32.exe" length(process.name) // returns 12 ---- *Syntax* [source,txt] ---- length() ---- *Parameters* ``:: + -- (Required, string or `null`) String for which to return the character length. If `null`, the function returns `null`. Empty strings return `0`. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field <> are not supported. -- *Returns:* integer or `null` ==== [discrete] [[eql-fn-match]] === `match` Returns `true` if a source string matches one or more provided regular expressions. [%collapsible] ==== *Example* [source,eql] ---- match("explorer.exe", "[a-z]*?.exe") // returns true match("explorer.exe", "[a-z]*?.exe", "[1-9]") // returns true match("explorer.exe", "[1-9]") // returns false match("explorer.exe", "") // returns false // process.name = "explorer.exe" match(process.name, "[a-z]*?.exe") // returns true match(process.name, "[a-z]*?.exe", "[1-9]") // returns true match(process.name, "[1-9]") // returns false match(process.name, "") // returns false // null handling match(null, "[a-z]*?.exe") // returns null ---- *Syntax* [source,txt] ---- match(, [, ...]) ---- *Parameters* ``:: + -- (Required, string or `null`) Source string. If `null`, the function returns `null`. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field -- ``:: + -- (Required{multi-arg-ref}, string) Regular expression used to match the source string. For supported syntax, see <>. https://docs.oracle.com/javase/tutorial/essential/regex/pre_char_classes.html[Predefined character classes] are not supported. Fields are not supported as arguments. -- *Returns:* boolean or `null` ==== [discrete] [[eql-fn-startswith]] === `startsWith` Returns `true` if a source string begins with a provided substring. [%collapsible] ==== *Example* [source,eql] ---- startsWith("regsvr32.exe", "regsvr32") // returns true startsWith("regsvr32.exe", "explorer") // returns false startsWith("", "") // returns true // process.name = "regsvr32.exe" startsWith(process.name, "regsvr32") // returns true startsWith(process.name, "explorer") // returns false // process.name = "regsvr32" startsWith("regsvr32.exe", process.name) // returns true startsWith("explorer.exe", process.name) // returns false // process.name = [ "explorer.exe", "regsvr32.exe" ] startsWith(process.name, "explorer") // returns true startsWith(process.name, "regsvr32") // returns false // null handling startsWith("regsvr32.exe", null) // returns null startsWith("", null) // returns null startsWith(null, "regsvr32") // returns null startsWith(null, null) // returns null ---- *Syntax* [source,txt] ---- startsWith(, ) ---- *Parameters* ``:: + -- (Required, string or `null`) Source string. If `null`, the function returns `null`. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field Fields containing <> use the first array item only. -- ``:: + -- (Required, string or `null`) Substring to search for. If `null`, the function returns `null`. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field -- *Returns:* boolean or `null` ==== [discrete] [[eql-fn-string]] === `string` Converts a value to a string. [%collapsible] ==== *Example* [source,eql] ---- string(42) // returns "42" string(42.5) // returns "42.5" string("regsvr32.exe") // returns "regsvr32.exe" string(true) // returns "true" // null handling string(null) // returns null ---- *Syntax* [source,txt] ---- string() ---- *Parameters* ``:: (Required) Value to convert to a string. If `null`, the function returns `null`. + If using a field as the argument, this parameter does not support the <> field datatype. *Returns:* string or `null` ==== [discrete] [[eql-fn-stringcontains]] === `stringContains` Returns `true` if a source string contains a provided substring. [%collapsible] ==== *Example* [source,eql] ---- // process.command_line = "start regsvr32.exe" stringContains(process.command_line, "regsvr32") // returns true stringContains(process.command_line, "start ") // returns true stringContains(process.command_line, "explorer") // returns false // process.name = "regsvr32.exe" stringContains(command_line, process.name) // returns true // empty strings stringContains("", "") // returns false stringContains(process.command_line, "") // returns false // null handling stringContains(null, "regsvr32") // returns null stringContains(process.command_line, null) // returns null ---- *Syntax* [source,txt] ---- stringContains(, ) ---- *Parameters* ``:: (Required, string or `null`) Source string to search. If `null`, the function returns `null`. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field ``:: (Required, string or `null`) Substring to search for. If `null`, the function returns `null`. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field *Returns:* boolean or `null` ==== [discrete] [[eql-fn-substring]] === `substring` Extracts a substring from a source string at provided start and end positions. If no end position is provided, the function extracts the remaining string. [%collapsible] ==== *Example* [source,eql] ---- substring("start regsvr32.exe", 6) // returns "regsvr32.exe" substring("start regsvr32.exe", 0, 5) // returns "start" substring("start regsvr32.exe", 6, 14) // returns "regsvr32" substring("start regsvr32.exe", -4) // returns ".exe" substring("start regsvr32.exe", -4, -1) // returns ".ex" ---- *Syntax* [source,txt] ---- substring(, [, ]) ---- *Parameters* ``:: (Required, string) Source string. ``:: + -- (Required, integer) Starting position for extraction. If this position is higher than the `` position or the length of the `` string, the function returns an empty string. Positions are zero-indexed. Negative offsets are supported. -- ``:: (Optional, integer) Exclusive end position for extraction. If this position is not provided, the function returns the remaining string. + Positions are zero-indexed. Negative offsets are supported. *Returns:* string ==== [discrete] [[eql-fn-wildcard]] === `wildcard` Returns `true` if a source string matches one or more provided wildcard expressions. [%collapsible] ==== *Example* [source,eql] ---- // The two following expressions are equivalent. process.name == "*regsvr32*" or process.name == "*explorer*" wildcard(process.name, "*regsvr32*", "*explorer*") // process.name = "regsvr32.exe" wildcard(process.name, "*regsvr32*") // returns true wildcard(process.name, "*regsvr32*", "*explorer*") // returns true wildcard(process.name, "*explorer*") // returns false wildcard(process.name, "*explorer*", "*scrobj*") // returns false // empty strings wildcard("", "*start*") // returns false wildcard("", "*") // returns true wildcard("", "") // returns true // null handling wildcard(null, "*regsvr32*") // returns null wildcard(process.name, null) // returns null ---- *Syntax* [source,txt] ---- wildcard(, [, ...]) ---- *Parameters* ``:: + -- (Required, string) Source string. If `null`, the function returns `null`. If using a field as the argument, this parameter supports only the following field datatypes: * <> * <> * <> field with a <> or <> sub-field -- ``:: + -- (Required{multi-arg-ref}, string) Wildcard expression used to match the source string. If `null`, the function returns `null`. Fields are not supported as arguments. -- *Returns:* boolean ====