Simple Detection Match Expression Reference
Construct match expressions to define logic
Last updated
Was this helpful?
Construct match expressions to define logic
Last updated
Was this helpful?
A match expression is a conditional logic expression, defined in YAML, that will return true or false. Match expressions are used various places, for example:
In the key of a Simple Detection written in YAML
In the key of a Python or Simple Detection
In the Expressions key of a (effectively creating match expressions within a match expression)
In the Conditions key of the key of a Simple Detection
There are seven , with varying structures. You can group match expressions using to form complex conditions.
You can use enrichment in Simple Detections with .
Match expressions work roughly the following way:
A key from an incoming event is identified with a
A is provided, which describes the nature of the check
A (or list of values) is provided to compare against
(There are exceptions to this pattern, where zero or multiple event keys are identified for comparison, or no value is needed.)
There are seven types of match expressions, each with a unique syntax or structure.
The match expression examples in the following sections refer to this JSON event:
Key/value match expressions compare the value of a certain event key to a given value.
Example:
Key/values match expressions evaluate whether some event value is a member in a given list.
Example:
Multi-key match expressions allow you to compare the values of two event keys. You can form a multi-key match expression by including a Condition and list of Values that contains two event keys.
A list comprehension match expression takes a key with a list value, and, for each item in the list, evaluates it against a list of match expressions. The list of match expressions is stored under the Expressions key.
For list comprehension match expressions, four values for Condition are valid:
AnyElement
AllElements
OnlyOneElement
NoElement
Example using AnyElement:
Within the Expressions key, you can add either:
Nested list comprehension match expressions. Each level of nesting can only contain one list comprehension match expression. This structure effectively creates nested for loops. The innermost list comprehension can have as many match expressions as you like, so long as they are not list comprehension match expressions. Example:
Any combination of match expressions that are not list comprehension match expressions. Example:
An existence match expression determines whether a specific key matches a specified existence condition.
Example:
In certain cases, you may want a match expression to always evaluate to True or False. You can do this by creating a match expression that simply contains a Condition key set to AlwaysTrue or AlwaysFalse.
To create an enrichment match expression, include an Enrichment key. The contents of Enrichment indicate the path to the event key on which to build the condition. Within Enrichment, include the following fields:
Table: The name of the Lookup Table, Enrichment Provider table, or Identity Provider Profile table.
These names are user-defined in the case of Lookup Tables, and Panther-defined in the case of Enrichment Providers and Identity Provider Profiles.
FieldPath: The name of any one of the event fields within the Selector field. This key takes JSON path notation, meaning you can denote nested fields, if needed.
Combinators are YAML keys that describe the relationship between match expressions or groups of match expressions. There are four combinators: All, Any, OnlyOne, and None.
If more than one match expression is provided directly under a key that takes match expressions (e.g., Detection, InlineFilters or Expressions), and no combinator is specified, All is assumed.
All
Logical AND
All match expressions in the list evaluate to true. The first failing match ends evaluation of the list.
Any
Logical OR
Any single match expression in the list evaluates to true. The first true match ends evaluation of the list.
OnlyOne
Logical XOR
Only one single match expression in the list evaluates to true.
None
Logical NOT AND
No match expression in the list evaluates to true.
Example of one level of nesting using OnlyOne:
Example of multiple levels of nesting using Any and All:
Key specifiers are a group of YAML keys that allow you to indicate a certain key in your log event JSON. There are three key specifiers: Key, DeepKey, and KeyPath.
If the event property provided as the value of the key specifier does not exist, evaluation of the match expression stops and returns false.
KeyKey lets you access a top-level event property. Example:
DeepKeyDeepKey lets you access a nested event property. DeepKey accepts a list. You can also use DeepKey to access elements of an array when you know the absolute index.
Example using DeepKey, which accesses the deep field foo.bar.baz, then indexes on an array index 2:
KeyPathKeyPath lets you access:
A top-level field
A nested field, using:
Subfield indexing (.)
Additional JSON path features are not supported.
Example:
ConditionExists
Any
Checks if the key specified exists.
Existence, Enrichment
DoesNotExist
Any
Checks if the key specified does not exist.
Existence, Enrichment
IsNull
Any
Checks if the key is null - e.g. {"key": null}
Existence, Enrichment
IsNotNull
Any
Checks if the key is not null - e.g. {"key": 1234}
Existence, Enrichment
IsNullOrEmpty
Any
Checks if the key is null or has an non-empty value. Empty values include: empty list ([]), empty string "", and the number 0.
Existence, Enrichment
IsNotNullOrEmpty
Any
Checks if the key is not null or has a non-empty value. Empty values include: empty list ([]), empty string "", and the number 0.
Existence, Enrichment
Equals
Any
Checks if a key’s value is equal to a specified value.
Key/value, Multi-key, Enrichment
DoesNotEqual
Any
Checks if a key’s value is not equal to a specified value.
Key/value, Multi-key, Enrichment
IEquals
String
Checks if a key’s string value is equal to a specified string, case insensitive.
Key/value, Multi-key, Enrichment
IDoesNotEqual
String
Checks if a key’s string value is not equal to a specified string, case insensitive.
Key/value, Multi-key, Enrichment
StartsWith
String
Checks if a key’s string value starts with a specified value. If the key is not a string, returns false.
Key/value, Multi-key, Enrichment
IStartsWith
String
Checks if a key’s string value starts with a specified value, case insensitive. If the key is not a string, returns false.
Key/value, Multi-key, Enrichment
DoesNotStartWith
String
Checks if a key’s string value does not start with a specified value. If they key is not a string, returns false.
Key/value, Multi-key, Enrichment
IDoesNotStartWith
String
Checks if a key’s string value does not start with a specified value, case insensitive. If they key is not a string, returns false.
Key/value, Multi-key, Enrichment
EndsWith
String
Checks if a key’s string value ends with a specified value. If the key is not a string, returns false.
Key/value, Multi-key, Enrichment
IEndsWith
String
Checks if a key’s string value ends with a specified value, case insensitive. If the key is not a string, returns false.
Key/value, Multi-key, Enrichment
DoesNotEndWith
String
Checks if a key’s string value does not end with a specified value. If they key is not a string, returns false.
Key/value, Multi-key, Enrichment
IDoesNotEndWith
String
Checks if a key’s string value does not end with a specified value, case insensitive. If they key is not a string, returns false.
Key/value, Multi-key, Enrichment
Contains
String or List
Checks if a key’s string value contains a specified value. If the key is not a string, returns false. OR Checks if an array of string(case sensitive)/int/float/bool contains a value.
Key/value, Multi-key, Enrichment
IContains
String
Checks if a key’s string value contains a specified value, case insensitive. If the key is not a string, returns false.
Key/value, Multi-key, Enrichment
DoesNotContain
String or List
Checks if a key’s string value does not contain a specified value. If they key is not a string, returns false. OR Checks if an array of string(case sensitive)/int/float/bool does not contains a value.
Key/value, Multi-key, Enrichment
IDoesNotContain
String
Checks if a key’s string value does not contain a specified value, case insensitive. If they key is not a string, returns false.
Key/value, Multi-key, Enrichment
IsIPAddress
String or Int
Checks if a key’s string or int value can be resolved into an IP Address. Functionally equivalent to ANY(IsIPv4Address, IsIPv6Address)
Key Existence Match, Enrichment
IsIPv4Address
String or Int
Checks if a key’s string or int value can be resolved into an IPv4 Address.
Key Existence Match, Enrichment
IsIPv6Address
String or Int
Checks if a key’s string or int value can be resolved into an IPv6 Address.
Key Existence Match, Enrichment
IsIPAddressPrivate
String or Int
Checks if a key’s string or int value can be resolved into a private IP Address.
Key Existence Match, Enrichment
IsIPAddressPublic
String or Int
Checks if a key’s string or int value can be resolved into a public IP Address.
Key Existence Match, Enrichment
IsIPAddressInCIDR
String or Int
Checks if a key’s string or int value rendered as an IP address is inside a CIDR range.
Key/value, Multi-key, Enrichment
IsIPAddressNotInCIDR
String or Int
Checks if a key’s string or int value rendered as an IP address is not inside a CIDR range.
Key/value, Multi-key, Enrichment
CIDRContainsIPAddresses
List of IP’s as Strings
Checks if a key’s string value rendered as a CIDR range contains a specified IP address.
Key/value, Multi-key, Enrichment
CIDRDoesNotContainIPAddresses
List of IP’s as Strings
Checks if a key’s value interpreted a list of IP addresses is in specified CIDR range
Key/value, Multi-key, Enrichment
IsGreaterThan
Int or Float
Check if key’s value is greater than specified value.
Key/value, Multi-key, Enrichment
IsGreaterThanOrEqual
Int or Float
Check if key’s value is greater than or equal to specified value.
Key/value, Multi-key, Enrichment
IsLessThan
Int or Float
Check if key’s value is less than specified value.
Key/value, Multi-key, Enrichment
IsLessThanOrEqual
Int or Float
Check if key’s value is less than or equal to specified value.
Key/value, Multi-key, Enrichment
IsIn
Scalar
List
Evaluate if the value of the specified key is a member of the list.
Key/values, Enrichment
IsNotIn
Scalar
List
Evaluate if the value of the specified key is not a member of the list.
Key/values, Enrichment
AnyElement
List
Evaluate if the list of values from the specified key matches any expression in a list of match conditions.
List comprehension
AllElements
List
Evaluate if the list of values from the specified key matches all expressions in a list of match conditions.
List comprehension
OnlyOneElement
List
Evaluate if the list of values from the specified key only has a single element that matches a list of match conditions.
List comprehension
NoElement
List
Evaluate if the list of values from the specified key does not match all expressions in the list of match conditions.
List comprehension
Value(s)Values for the Value and Values keys can have one of the following four data types:
Integer
Float
Boolean
String
Integers, floats, and booleans should not be enclosed in quotation marks. Strings can be enclosed in quotation marks, but do not have to be.
See examples of how differently formatted Value values will evaluate below:
In each example match expression below, a single is used to identify the event key(s), however any of the key specifiers (e.g., Key, DeepKey or KeyPath) can be used in most cases.
You can see all allowed values of Condition in the , where the "Applicable Match Expressions" column includes "Key/value."
The only permitted Condition values for key/values match expressions are IsIn and IsNotIn, visible in the .
Multi-key match expressions cannot be viewed and edited in the Simple Detection builder in the Panther Console, nor can they be used in Inline Filters. See a full list of , and .
See all allowed values of Condition in the , where the "Applicable Match Expressions" column includes "Multi-key."
List comprehension match expressions cannot be viewed and edited in the Simple Detection builder in the Panther Console, nor can they be used in Inline Filters. See a full list of , and .
Learn more about these Condition values in the
See all allowed values of Condition in the , where the "Applicable Match Expressions" column includes "Existence."
Absolute match expressions cannot be viewed and edited in the Simple Detection builder in the Panther Console, nor can they be used in Inline Filters. See a full list of , and .
Enrichment match expressions cannot be viewed and edited in the Simple Detection builder in the Panther Console, nor can they be used in Inline Filters. See a full list of , and .
Enrichment match expressions are only used to interact with a JSON event's p_enrichment struct, which is present if there is a match on a , , or .
Selector: The name of the from the incoming log.
Once you have defined Enrichment and its sub-fields, the rest of the match expression can be modeled after the structure of any of the other match expression types—except for (these expressions are not supported for use with enrichment) and (these expressions do not reference any event values).
For example, the enrichment match expression below—which includes Condition and Value keys—resembles a match expression:
The OnlyOne and None combinators cannot be viewed and edited in the Simple Detection builder in the Panther Console, nor can they be used in Inline Filters. See a full list of , and .
When writing Simple Detections in the CLI workflow, there is no limit on the number of nested levels you can create with combinators. (In the in the Panther Console, there is a three-level limit.) Note that if match expressions are nested more than three levels deep when working locally, the Panther Console will not render them in the Simple Detection builder—they will only be viewable in raw YAML.
Array indexing: Use [*] for a wildcard across the array or [x] for specific indices. .
There are various types of Condition values you can choose from, including , , and groupings.
Certain Condition values cannot be viewed and edited in the Simple Detection builder in the Panther Console, nor can they be used in Inline Filters. See a full list of , and .
Use scalar matching conditions alongside the Value key (not Values). The match expression's can reference a list or a single value, but Value must be singular.
Use list matching conditions alongside Values (not Value). The match expression's can reference a single value or a list, but Values must reference a list.
List comprehension conditions can only be used within .