search

codeDSL language

hashtag
Conditionals

Conditional
Description
Usage example

IS

Always preceded by the name of a field, evaluates if the content of the field is EQUAL to the specified value.

Value to evaluate has to specified inside double quotes

port_dst IS “53”

IS_NOT

Always preceded by the name of a field, evaluates if the content of the field is NOT EQUAL to the specified value.

Value to evaluate has to be specified inside double quotes

port_dst IS_NOT “53”

CONTAINS

Always preceded by the name of a field, evaluates if the content of the field is IN to the specified value.

Value to evaluate must be specified inside double quotes

url CONTAINS "file"

url CONTAINS "*file"

url CONTAINS "file*"

NOT_CONTAINS

Always preceded by the name of a field, evaluates if the content of the field is NOT IN to the specified value.

Value to evaluate must be specified inside double quotes

IS_ONE_OF

Always preceded by the name of a field, evaluates if the content of this field is EQUAL TO ONE of the specified values in a list.

Values to evaluate must be specified between double quotes inside a list in brackets.

port_dst IS_ONE_OF [“21”, “53”, “445”]

IS_NOT_ONE_OF

Always preceded by the name of a field, evaluates if the content of this field is NOT EQUAL TO ONE of the specified values in a list.

Values to evaluate must be specified between double quotes inside a list in brackets.

port_dst IS_NOT_ONE_OF [“21”, “53”, “445”]

hashtag
Boolean operators

Boolean operators allow to concatenate two or more conditionals. This allows to check values of multiple fields and conditional evaluations in the same rule.

A rule can contain as many Boolean operators as required and can be mixed in any way with no limit of Boolean operators. AND is resolved before OR in any query.

Boolean operator
Description
Example

AND

Allows to concatenate two evaluations.

Result is True if both evaluations are True.

Result is False if one of the evaluations are False.

port_dst IS_NOT_ONE_OF [“21”, “53”, “445”] AND account_type IS “admin”

OR

Allows to concatenate two evaluations.

Result is True if one of the evaluations is True.

Result is False if both evaluations are False.

hashtag
Parenthesis and square brackets

The parentheses follow the logic of propositional logic, they are intended to prioritize the resolution of part of the created rule. Everything in parentheses will be solved before the rest of the rule, in this way you can prioritize certain values to be solved earlier.

The square brackets, like in many programming languages, are used to identify a list of values that must be iterated by the created rule.

Here is a description of how to use parenthesis and square brackets in usage:

Character
Description
Example

[ ]

Square brackets are used to identify a list of values

port_dst IS_NOT_ONE_OF [“21”, “53”, “445”] AND account_type IS “admin”

( )

Parentheses are used to prioritize an operation before those that are not in parentheses

port_dst IS “21” AND (account_type IS “admin” OR account_type IS "staff")

PreviousMetric aggregation rulesNextCustomers consumption monitoring

Last updated