Predicates¶
A predicate is a filter made of conditions formed by SP-Lang expressions.
How to write predicates¶
Before you can create a filter, you need to know the possible fields and values of the logs you are looking for. To see what fields and values your logs have, go to Discover in the TeskaLabs LogMan.io web app.
SP-Lang expressions¶
Construct conditions for the filter using SP-Lang expressions. The filter checks the incoming log to see if the log makes the expressions "true" and therefore meets the conditions.
You can find the full SP-Lang documentation here.
Common SP-Lang expressions:
| Expression | Meaning |
|---|---|
!AND |
ALL of the criteria nested under !AND must be met for the !AND to be true |
!OR |
At least ONE of the criteria nested under !OR must be met for the !OR to be true |
!EQ |
"Equal" to. Must be equal to, or match the value, to be true |
!NE |
"Not equal" to, or doesn't equal. Must NOT equal (must not match the value) to be true |
!IN |
Looks for a value in a set of values (what in where) |
!STARTSWITH |
The value of the field (what) must start with the specified text (prefix) to be true |
!ENDSWITH |
The value of the field (what) must end with the specified text (postfix) to be true |
!ITEM EVENT |
Gets information from the content of the incoming logs (allows the filter to access the fields and values in the incoming logs) |
!NOT |
Seeks the opposite of the expression nested under the !NOT (following what) |
Conditions¶
Use this guide to structure your individual conditions correctly.
Parentheses
Words in parentheses () are placeholders to show where values go. SP-Lang does not use parentheses.
| Filter for a log that: | SP-Lang |
|---|---|
| Has a specified value in a specified field |
|
| Has a specified field |
|
| Does NOT have a specified value in a specified field |
|
| Has one of multiple possible values in a field |
|
| Has a specified value that begins with a specified number or text (prefix), in a specified field |
|
| Has a specified value that ends with a specified number or text (postfix), in a specified field |
|
| Does NOT satisfy a condition or set of conditions |
|
Example¶
To learn what each expression means in the context of this example, click the icons.
!AND #(1)
- !OR #(2)
- !EQ
- !ITEM EVENT event.dataset
- "sophos"
- !EQ
- !ITEM EVENT event.dataset
- "vmware-vcenter"
- !OR #(3)
- !EQ
- !ITEM EVENT event.action
- "Authentication failed"
- !EQ
- !ITEM EVENT event.action
- "failed password"
- !EQ
- !ITEM EVENT event.action
- "unsuccessful login"
- !OR #(4)
- !IN
what: source.ip
where: !EVENT
- !IN
what: user.id
where: !EVENT
- !NOT #(5)
what:
!STARTSWITH
what: !ITEM EVENT user.id
prefix: "harry"
- Every expression nested under
!ANDmust be true for a log to pass through this filter. - In the log, in the field
event.dataset, the value must besophosorvmware-vcenterfor this!ORto be true. - In the log, in the field
event.action, the value must beAuthentication failed,failed password, orunsuccessful loginfor this!ORto be true. - The log must contain the field
source.ipor the fielduser.idfor this!ORto be true. - In the log, the field
user.idmust not begin withharryfor this!NOTto be true.
This filters for logs that:
- Have the value
sophosorvmware-vcenterin the fieldevent.datasetAND - Have the value
Authentication failed,failed password, orunsuccessful loginin the fieldevent.actionAND - Include at least one of the fields
source.iporuser.idAND - Do not have a value that begins with
harryin the fielduser.id
For more ideas and formatting tips, see this example in the context of a detection rule, including details about the predicate section.