Building Rules with CEL Expressions and JSON Files

Some signals require using Shopify's Liquid language and Google’s Common Expression Language (CEL) to build expressions.
CEL works well with JSON data. Rules can be created, imported, and exported as JSON files. For more information about how these languages work together, see JSON to CEL mapping.
The following custom functions are provided to help build rules.

FunctionDescriptionArgumentsExamples
contains(substring)Determines whether the string contains the substringA substring, or a signal with an substring value”LinkedIn Breach”.contains(“LinkedIn”) ip.aso.contains(“Comcast”)
daysSince(timestamp)Determines the number of days since the given date and timeA timestamp, or a signal with an timestamp valuedaySince(timestamp(“2023-05-01T10:00:20.021-05:00”)) > 10 daysSince(email.breachInfo.mostRecentBreachDate) > 180
endsWith(string)Determines whether the string ends with the suffixA string, or a signal with an string valueuserAgent.os.name.endsWith(“test”)
has(signal)Determines the presence of a signalA signal namehas(ip.tor)
isInRange(addr)Determines if the IP is in the provided CIDR range/block. Supports IPv4 and IPv6.An addr, or a signal with an addr valueip.isInRange('204.77.8.0/23')
isWithin(latitude, longitude, radius)Determines if the IP geolocation is within a pre-defined area (also referred to as geofencing)Latitude, longitude, and Radius in KMip.geo.isWithin(40.7128, 74.0060, 1000)
matches(string)Determines whether the string matches the regular expressionA string, or a signal with an string value'[email protected]'.matches(“^[a-z]+@example\.com$”) userAgent.browser.name.matches(“[Mm]ozilla”)
size(array)Determines the length of the stringAn array, or a signal with an array valuesize([1,2,3]) == 3 size(email.breachInfo.breaches) > 0
startsWith(string)Determines whether the string starts with the prefixA string, or a signal with an string valueuserAgent.os.name.startsWith(“mac”)
yearsSince(timestamp)Determines the number of years since the given date and timeA timestamp, or a signal with an timestamp valueyearsSince(email.breachInfo.mostRecentBreachDate) > 1 yearsSince(timestamp(“2023-05-08T09:13:59.123+01:00”) == 0