Skip to content

Value modifiers

Jump to bottom
Souji edited this page Apr 22, 2024 · 11 revisions

Value modifiers

Note

This is not a 1:1 mapping with the Sigma specification

  • Adds date modifiers
  • Adds modifier arguments
  • Omits some of the Sigma modifiers specific to networks and encoding. Some of these might be added later!

Value modifiers have the shape key|modifiername and are appended to the attribute key. Some data types take arguments for value modifiers, these are wrapped in () after the modifier name (e.g. key|snowflake(x)). Some data types allow for chaining in modifiers, for example, key|snowflake|before.

String modifiers

  • key|contains: wrap the value in unbounded wildcards
  • key|startswith: append unbounded wildcard
  • key|endswith: prepend unbounded wildcard
  • key|date: transform the string to a date and apply further date modifiers
  • key|snowflake: interpret the string as a snowflake, transform it to a date and apply further date modifiers
  • key|snowflake(epoch): epoch can be any of discord, twitter, x, or a custom numerical value (interpreted as BigInt). The default epoch is 0
  • key|re: interpret the value as a regular expression (?, * are also interpreted within the context of the regular expression, not as wildcards)

Note

In addition to value modifiers, Sigma and Omega allow for string wildcards.

Dates

Important

Patterns in the yyyy/mm/dd format are evaluated as UTC!
Timestamps are assumed to arrive in ISO:8601 or JavaScript Date objects.

  • key|date|sameday: date is on the same day (year, month, date match)
  • key|date|before: value is before the specified date (ms precision)
  • key|date|after: value is after the specified date (ms precision)

Note

If you need more complex matching, consider using wildcards to evaluate days as ISO:8601 string instead.

Numbers

  • key|lt key|<: evaluate the number to be lesser than the specified value
  • key|lte key|<=: evaluate the number to be lesser than or equal to the specified value
  • key|gt key|>: evaluate the number to be greater than the specified value
  • key|gte key|>=: evaluate the number to be greater than or equal to the specified value
Clone this wiki locally