REL (Rule Expression Language) is used for defining rules that generate alerts. REL
is also used for filtering events.
The result of expression evaluation is usually a Boolean value, or is converted to
such a value. This value determines whether a specific alert is generated or message
is filtered. The parameters of a REL expression are InTrust events.
Expressions are evaluated left to right. Words are separated by white spaces, tabs and carriage returns. There are six types of words in REL:
ID
Name of an argument, field or function. An ID can include alphanumeric characters and the underscore character (_), but cannot begin with a number. IDs are case-sensitive.
String constant
Enclosed in single or double quotes. Use the backslash escape character (\) to specify quotes (as in "quoted text: \"some text\"") or the backslash character itself (as in "domain\\user"). String constants, like expressions, use the encoding of the current locale (depending on implementation). String values of fields are converted to the local encoding when they are processed.
Numeric constant
Begins with a number or a negative sign (-). If a numeric constant begins with "0x", it is interpreted as a hexadecimal value with characters representing the number bitwise (including the sign bit). All numeric constants are signed 32-bit integers.
Boolean constant
True or false.
Operator
The following operators are used:
+ - * / % > >= < <=
= != () | & << >> ? :
. [] or and not
Auxiliary character
Characters that are part of expression language syntax, such as parentheses, curly braces, and the function definition character.
expression ::= +(token)
token ::= [*space] (identifier | string | number | boolean | operator | special) [*space]
space ::= " " | "\t" | "\n"
identifier ::= (alpha | "_") *(alpha | numeric | "_")
string ::= single_quoted | double_quoted
single_quoted ::= "’" *(char | ’r;"’ | "\’" | "\\") "’"
double_quoted ::= ’r;"’ *(char | "’" | ’r;\"’ | "\\") ’r;"’
char ::= 0x00 | …… | 0xFF ; all characters except ’r; " \
number ::= (["-"] +numeric) | ("0x" +hex)
boolean ::= "true" | "false"
operator ::= plus | minus | multiply | divide | modulus | greater | greater_equal | less | less_equal | equal | inequal | bit_or | bit_and | bit_xor | shift_left | shift_right | not | or | and | conditional | selection | field_selection | open_sq | close_sq
plus ::= "+"
minus ::= "-"
multiply ::= "*"
divide ::= "/"
modulus ::= "%"
greater ::= ">"
greater_equal ::= ">="
less ::= "<"
less_equal ::= "<="
equal ::= "="
inequal ::= "!="
bit_or ::= "|"
bit_and ::= "&"
bit_xor ::= "^"
shift_left ::= "<<"
shift_right ::= ">>"
not ::= "not"
or ::= "or"
and ::= "and"
conditional ::= "?"
selection ::= ":"
field_selection ::= "."
open_sq ::= "["
close_sq ::= "]"
symbol ::= open_br | close_br | comma | definition | open_cr | close_cr
open_br ::= "("
close_br ::= ")"
comma ::= ","
definition ::= ":="
open_cr ::= "{"
close_cr ::= "}"
Formal Language Syntax
REL_expression ::= *(function_definition) expression
function_definition ::= "def" identifier open_br [ argument_def_list ] close_br definition open_cr expression close_cr
argument_def_list ::= argument_def *(comma argument_def)
argument_def ::= identifier [ equal expression ]
primary_expression ::= constant | identifier | function |
(open_br expression close_br)
constant ::= string | number | boolean
function ::= identifier open_br [argument_list] close_br
argument_list ::= expression *(comma expression)
operator_indexing ::= primary_expression |
operator_indexing field_selection identifier |
operator_indexing open_sq expression close_sq
operator_unary ::= primary_expression |
(minus | not) primary_expression
operator_multiply ::= operator_unary |
operator_multiply (multiply | divide | modulus) operator_unary_minus
operator_add ::= operator_multiply |
operator_add (plus | minus) operator_multiply
operator_shift ::= operator_add |
operator_shift (shift_left | shift_right) operator_add
operator_bit_and ::= operator_shift |
operator_bit_and bit_and operator_shift
operator_bit_xor ::= operator_bit_and |
operator_bit_xor bit_xor operator_bit_and
operator_bit_or ::= operator_bit_xor |
operator_bit_or bit_or operator_bit_xor
operator_compare ::= operator_bit_or |
operator_compare (greater | greater_equal | less | less_equal) operator_bit_or
operator_equal ::= operator_compare |
operator_equal (equal | inequal) operator_compare
operator_and ::= operator_equal | operator_and and operator_equal
operator_or ::= operator_and | operator_or or operator_and
operator_conditional ::= operator_or |
operator_or conditional expression selection expression
expression ::= operator_conditional
In REL-based event filters, there must be no semicolon at the end of the expression. In rules, the semicolon is required.
An expression is a basic language entity. An expression has a value and a type. It consists of constants, events and event fields, and also operators and function calls required for calculations.
Expression examples:
5
A+B
Source
Count<5
strstr(Description, "found")
string
number
boolean
empty
message (event)
array
Use brackets to specify the array element you want to access. The first element of an array has an index of 0.
Arrays can include other arrays. For example, it is possible to return an array of field arrays to denote a set of fields each of which has a set of auxiliary fields.
If you go outside the scope of an array, the returned value is empty (an empty field or a message without fields). Arrays can also be empty; in this case, getting any element of the array returns an empty value.
REL does not have strong typing. All expression values are converted to other types as necessary, according to the rules described further on.
Strings to numbers
Characters are interpreted as a number. If the expression begins with "0x", the remaining characters are interpreted as a hexadecimal representation of a number. If the string does not represent a number, zero is returned.
Numbers to strings
A number is converted to its decimal representation without leading spaces or zeros.
Booleans to strings and numbers
Boolean values are converted to the strings "true" and "false", and to the numbers 1 and 0, respectively.
Numbers to Booleans
False if the number is 0, and true otherwise.
Strings to Booleans
False if the string is empty.
Wherever an array is required, a simple value can substitute it, and the reverse is also true. Conversions are made according to the following rules:
Simple value to array
A message is converted to a message array with a single element. A field is converted to a field array with a single element.
Array to simple value
The first element of the array is returned. In multi-dimensional arrays, this rule is applied recursively multiple times and returns the element which is the first at all nesting levels.
Empty is a special type used to represent undefined values.
Conversion of empties
Empty to number
0 is returned.
Empty to string
Empty string (same as "").
Empty to Boolean
False.
Empty to array
Array with one element (empty).
An event is an implicit parameter in a REL expression. Event fields are accessed by name. Example:
EventID = 100
If an event or event array is returned by a function, you can access its fields using the "." operator. Example:
previous_lim(Z.EventID=100, "1:00:00").String1
select(Z.EventID=100, "1:00:00")[0].String1
If the specified field is not found, a value of the "empty" type is returned.
The "." operator can be applied to an event array. In this case, the result is an array of values of the specified field. The size of this array is equal to the size of the event array. Example:
select(Z.EventID=100, "1:00:00")._LocalTime
An event cannot be converted to a simple (scalar) type or an array. This operation returns an empty.
The asterisk character (*) is a special case of field name. This field contains an array of the string values of all message fields.
REL (Rule Expression Language) is used for defining rules that generate alerts. REL
is also used for filtering events.
The result of expression evaluation is usually a Boolean value, or is converted to
such a value. This value determines whether a specific alert is generated or message
is filtered. The parameters of a REL expression are InTrust events.
© ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center