Building Rules with CEL Expressions and JSON Files
Some Verosint signals (such as account.asoCount.last24hours) require using Shopify's Liquid language and Google’s Common Expression Language (CEL) to build expressions.
CEL works well with JSON data. Rules can be created, imported, and exported as JSON files. For more information about how these languages work together, see JSON to CEL mapping.
The following custom functions are provided to help build rules.
| Function | Description | Arguments | Examples |
|---|---|---|---|
| contains(substring) | Determines whether the string contains the substring | A substring, or a signal with an substring value | ”LinkedIn Breach”.contains(“LinkedIn”) ip.aso.contains(“Comcast”) |
| daysSince(timestamp) | Determines the number of days since the given date and time | A timestamp, or a signal with an timestamp value | daySince(timestamp(“2023-05-01T10:00:20.021-05:00”)) > 10 daysSince(email.breachInfo.mostRecentBreachDate) > 180 |
| endsWith(string) | Determines whether the string ends with the suffix | A string, or a signal with an string value | userAgent.os.name.endsWith(“test”) |
| has(signal) | Determines the presence of a signal | A signal name | has(ip.tor) |
| isInRange(addr) | Determines if the IP is in the provided CIDR range/block. Supports IPv4 and IPv6. | An addr, or a signal with an addr value | ip.isInRange('204.77.8.0/23') |
| isWithin(latitude, longitude, radius) | Determines if the IP geolocation is within a pre-defined area (also referred to as geofencing) | Latitude, longitude, and Radius in KM | ip.geo.isWithin(40.7128, 74.0060, 1000) |
| matches(string) | Determines whether the string matches the regular expression | A string, or a signal with an string value | '[email protected]'.matches(“^[a-z]+@example\.com$”) userAgent.browser.name.matches(“[Mm]ozilla”) |
| size(array) | Determines the length of the string | An array, or a signal with an array value | size([1,2,3]) == 3 size(email.breachInfo.breaches) > 0 |
| startsWith(string) | Determines whether the string starts with the prefix | A string, or a signal with an string value | userAgent.os.name.startsWith(“mac”) |
| yearsSince(timestamp) | Determines the number of years since the given date and time | A timestamp, or a signal with an timestamp value | yearsSince(email.breachInfo.mostRecentBreachDate) > 1 yearsSince(timestamp(“2023-05-08T09:13:59.123+01:00”) == 0 |
Updated 3 months ago