Field operators

Field operators are the logical pieces of a rule that allow Aurora Focus to compare two values. If there are two or more operands, and they match the comparison criteria, Aurora Focus considers that portion of the defined function to be complete. When all pieces of the function are complete, the state is satisfied.

The field operators field is an object that consists of one or more conditional objects. These conditional objects can be set to any value; however, they must match the same conditional values that are referenced in the function field. Arctic Wolf recommends that these names are kept to simple and logical values, such as numbers or letters.

Field operator

Description

Base64Encoding

Base64

This field operator tokenizes a string and determines if any of the tokens match an operand. It also attempts to determine the type of string encoding (ASCII, UTF-7, UTF-8, UTF-16-LE, UTF-16-BE, UTF-32-LE, or UTF-32-BE). Without a BOM, the operator can reliably detect only UTF-8, UTF-16-LE, and UTF-16-BE. If all detections fail, the operator will default to the system's default code page.

Postive: powershell.exe -ex bypass -e "ZwBlAHQALQBwAHIAbwBjAGUAcwBzAA==" equals ("get-process", )

Negative: powershell.exe -ex bypass "ZwBlAHQALQBhAGwAaQBhAHMA" does not contain ("get-process", )

ContainsAll

This field operator determines if the specified operand contains all of the operands from a set.

Positive: "hello, I am a string" contains all from ("ello", "ng")

Negative: "hello, I am a string" does not contain all from ("hi", "ng")

ContainsAllWords

This field operator determines if the specified operand contains all of the operands from a set, where each set operand must appear as a whole word surrounded by white space, punctuation, or end or beginning string markers.

Positive: "hello, I am a string" contains all words from ("hello", "a", "string")

Negative: "hello, I am a string" does not contain all words from ("ello", "ng")

ContainsAny

Contains

This field operator determines if the specified operand contains any of the operands from a set.

Positive: "hello, I am a string" contains any from ("ello", "banana")

Negative: "hello, I am a string" does not contain any from ("hi", "banana")

ContainsAnyWord

ContainsWord

This field operator determines if the specified operand contains any of the operands from a set, where each set operand would have to appear as a whole word surrounded by white space, punctuation, or end or beginning string markers.

Positive: "hello, I am a string" contains any words from ("hello", "banana")

Negative: "hello, I am a string" does not contain any words from ("ello", "ng")

DamerauLevenshteinDistance

DLDistance

This field operator determines if the distance (the number of changes needed to turn one operand into another operand) is within an acceptable range, but allows for the transposition of adjacent symbols.

Positive: "cat" is within a Damerau-Levenshtein Distance of 1 from "bat"

Positive: "hello" is within a Damerau-Levenshtein Distance of 2 from "bell"

Positive: "ca" is within a Damerau-Levenshtein Distance of 3 from "abc"

Negative: "cart" is not within a Damerau-Levenshtein Distance of 1 from "act"

DiceCoefficient

Dice

This field operator determines the similarity between two sets or strings by the number of common bigrams (a pair of adjacent letters in the string). It determines if the result of the comparison falls between the "mincoefficient" and "maxcoefficient".

For example, comparing the process name "Test.exe" with "Tes.exe" would return 0.76923076923076927.

With "round" set to 2:

Positive: min: 0.5 < 0.77 < 0.8 max; not inclusive

Positive: min: 0.77 <= 0.77 <= 0.77 max; inclusive

Negative: min: 0.8 < 0.77 < 0.85 max; not inclusive

The "round" option will round the decimal place to the specified integer. For example, if "round" is set to 2, .6666666667 becomes .67.

EndsWithAny

EndsWith

This field operator determines if the specified left operand ends with the specified right operand.

Positive: "hello, I am a string" ends with "ring"

Negative: "hello, I am a string" does not end with "bring"

EqualsAny

Equals

This field operator determines if the specified operand equals exactly any of the operands from a set, where each set operand would have to appear as a number or a whole word surrounded by white space, punctuation, or end or beginning string markers.

Positive: 10 equals any from (10, 20, 30)

Positive: "hello" equals any from ("hello", "banana")

Negative: 100 does not equal any from (10, 20, 30)

Negative: "hello" does not equal any from ("ello", "ng")

GreaterThan

This field operator determines if the specified left operand is greater than the specified right operand.

Positive: 14.4 is greater than 10.1

Negative: 1 is not greater than 1000

GreaterThanOrEquals

This field operator determines if the specified left operand is greater than or equal to the specified right operand.

Positive: 14.4 is greater than or equal to 10.1

Negative: 1 is not greater than or equal to 1000

HammingDistance

This field operator determines the distance between two strings of equal length, which is the number of positions at which the corresponding symbols are different. It measures the minimum number of substitutions required to change one string into the other.

Positive: "cat" is within a Hamming Distance of 1 from "bat"
  • cat → bat(1)
Positive: "hello" is within a Hamming Distance of 2 from "bell"
  • hello → bello(1) → bell(2)
Positive: "ca" is within a Hamming Distance of 3 from "abc"
  • ca → aa(1) → ab(2) → abc(3)
Negative: "cart" is not within a Hamming Distance of 4 from "act"
  • cart → aart(1) → acrt(2) → actt(3) → act(4)

HexEncoding

This field operator tokenizes a string and determines if any of the tokens match an operand. It also attempts to determine the type of string encoding (ASCII, UTF-7, UTF-8, UTF-16-LE, UTF-16-BE, UTF-32-LE, UTF-32-BE). Without a BOM, it can reliably detect only UTF-8, UTF-16-LE, and UTF-16-BE. If all detections fail, the operand will default to the system's default code page.

Positive: "74657374" contains "test"

Negative: "696e76616c6964" does not contain "test"

InRange

This field operator determines if the specified middle operand is between the left and right operands.

Positive: 10 is between 1 and 20

Positive: 5.3 is between 5.3 and 20.1 (inclusive)

Negative: 4 is not between 5 and 10

Negative: 20 is not between 20 and 40 (exclusive)

IpIsInRange

IpRange

This field operator determines if the TargetNetworkConnection address (SourceAddress, DestinationAddress) is within the specified "min" and "max" options.

Allowed Operands are:

JSON 
{
    "Source": "TargetNetworkConnection",
    "Data": "SourceAddress"
}

And:

JSON 
{
    "Source": "TargetNetworkConnection",
    "Data": "DestinationAddress"
}

Example:

JSON 
"FieldOperators": {
    "a": {
        "Type": "IpIsInRange",
        "OperandType": "IPAddres",
        "Options": {
            "min": "123.45.67.89",
            "max": "123.45.67.255"
        },
        "Operands": [
            {
                "Source": "TargetNetworkConnection",
                "Data": "DestAddr"
            }
        ]
    }
}

Include the following filters object with the above example to output the network traffic:

JSON 
"Filters": [
    {
        "Type": "Event",
        "Data": {
            "Category": "Network",
            "SubCategory": "*",
            "Type": "Connect"
        }
    }
]

IsFlagSet

This field operator checks if a bit or bits in a bitmask are set. It can use base-10 or base-16 (using the "0x" prefix) for the comparison value.

Positive: 0x10 is set for 0x4111

Positive: 3 is set for 0x7

Negative: 0x3 is not set for 0x4

Negative: 2 is not set for 0x5

IsHomoglyph

This field operator determines if the left operand is a homoglyph of the right operand. For example, a US Latin 1 "e" and a French "e" appear to be the same character and have the same meaning, but they have different values.

Positive: "3xplor3" is a homoglyph of "explore" with 100% certainty

Positive: "3xplord" is a homoglyph of "explore" with 90% certainty

Negative: "temp" is not a homoglyph of "temp" because these are the same string

Negative: "431" is not a homoglyph of "big" because these share no transitive characteristics

IsNullOrEmpty

This field operator determines if the specified operand is null or empty.

Positive: <null> is null or empty

Positive: "" is null or empty

Positive: " " is null or empty

Negative: "Hello" is not null or empty

IsPopulated

Exists

HasContent

This field operator determines if the specified operand is not null or empty.

Positive: "Hello" is not null or empty

Negative: <null> is null or empty

Negative: "" is null or empty

Negative: " " is null or empty

IsTrue

This field operator determines if the specified value is true.

Positive: TriState.True

Negative: TriState.False

Negative: TriState.Unknown

LessThan

This field operator determines if the specified left operand is less than the specified right operand.

Positive: 4.4 is less than 10.1

Negative: 1000 is not less than 1

LessThanOrEquals

This field operator determines if the specified left operand is less than or equal to the specified right operand.

Positive: 4.4 is less than or equal to 10.1

Positive: 14 is less than or equal to 14

Negative: 1000 is not less than or equal to 1

LevenshteinDistance

This field operator determines if the distance, the number of changes needed to turn one operand into another operand, is within an acceptable range.

Positive: "cat" is within a Levenshtein Distance of 1 from "bat"

Positive: "hello" is within a Levenshtein Distance of 3 from "bell"

Negative: "cart" is not within a Levenshtein Distance of 1 from "act"

LongestCommonSubsequence

This field operator compares a fixed left operand with a set of right operands and determines the longest subsequence in each comparison. It compares the result count to min and max values to determine if the result is within an acceptable range.

Comparing "aggtab" and "gxtxayb":

Positive: "gtab" is the longest sequence. If the min is 1 and max is 10, this falls within an acceptable range.

Negative: Using the previous example, if the min was 5 and the max was 10, this would not fall within an acceptable range.

LongestCommonSubstring

This field operator compares the left and right operands and returns a count of the longest found substring.

Comparing "ababc" and "abcdaba":

Positive: "aba" and "abc" are two results of the same size in "abcdaba" and would return the longest substring as 3.

Negative: If the mindistance and the maxdistance was set to 4, this would be larger than the longest substring found.

Comparing "ababcd" and "abcdaba":

Postive: "abcd" is the longest substring found.

MatchOnFilter

NoOp

This field operator indicates that no operations are being performed and that the state simply matches if the filter finds a corresponding event.

RegexMatches

This field operator determines if the specified operand conforms to a regular expression.

Positive: "hello, I am a string" conforms to "^hello, [Ii] am [aA] string$"

Negative: "hello, I am a string" does not conform to "^[hi|hey], I am a string$"

ShannonEntropy

This field operator determines the measure of unpredictability of state, or its average information content when comparing a single operand.

Postive: "abc" calculates to 1.5849625007211561 and falls within the range of 1.55 and 1.6.

Negative: "Z2V0LXByb2Nlc3M=" calculates to 3.875 and does not fall within the range of 1.55 and 1.6.

StartsWithAny

StartsWith

This field operator determines if the specified left operand starts with the specified right operand.

Positive: "hello, I am a string" starts with "hello, I"

Negative: "hello, I am a string" does not start with "help"