CEL Overloads
The where field in rules and filters uses a customized version of the Common Expression Language (CEL). Unlike standard CEL which uses method-call syntax (e.g., field.contains()), UTMStack uses functional overloads that are safer and handle missing fields automatically.
Available Overloads
Core Features
Type Flexibility: Functions like
equalsandoneOfperform "best-effort" matching. They automatically handle comparisons between strings and numbers (e.g.,equals("f", 100)will match both the integer100and the string"100").Strict String Safety: Functions designed for string manipulation (
startsWith,contains,regexMatch, etc.) strictly enforce that the field value must be a string. This prevents false positives on numeric or boolean fields.Auto-Existence: If a field is missing, these functions return
falseinstead of crashing or erroring the expression.
| Category | Function | Field Type (Log) | Literal Type (Rule) | Description |
|---|---|---|---|---|
| Existence | exists("f") | Any | N/A | Checks if a field exists. |
| Logic | safe("f", def) | String, Num, Bool | Matches Field | Returns field value or def if missing. |
| Flexible Match | equals("f", val) | String, Num | String, Int, Double | "Best-effort" equality. Matches even if types differ (str vs num). |
| oneOf("f", [...]) | Any | List of Any | True if field matches any item using flexible matching. | |
| Strict String | equalsIgnoreCase("f", "v") | String | String | Case-insensitive equality. |
| (Scalar Only) | contains("f", "v") | String | String or List | True if field contains substring(s). |
| containsAll("f", [...]) | String | List of Strings | True if field contains all substrings. | |
| startsWith("f", "v") | String | String or List | True if field starts with prefix(es). | |
| endsWith("f", "v") | String | String or List | True if field ends with suffix(es). | |
| regexMatch("f", "re") | String | String (Regex) | Validates field against a regex. | |
| Network | inCIDR("f", "net") | String (IP) | String (CIDR) | IPv4/v6 within a CIDR range. |
| Comparison | greaterThan("f", val) | Number | String, Int, Double | True if field > value (converts strings to num if possible). |
| lessThan("f", val) | Number | String, Int, Double | True if field < value. | |
| greaterOrEqual("f", val) | Number | String, Int, Double | True if field < value. | |
| lessOrEqual("f", val) | Number | String, Int, Double | True if field < value. | |
| Temporal | isHour("f", val) | String (ISO8601) | Int (0-23) | True if hour matches val. |
| isMinute("f", val) | String (ISO8601) | Int (0-59) | True if minute matches val. | |
| isDayOfWeek("f", val) | String (ISO8601) | Int (0-6) | True if day (0=Sun) matches val. | |
| isWeekend("f") | String (ISO8601) | N/A | True if Saturday or Sunday. | |
| isWorkDay("f") | String (ISO8601) | N/A | True if Monday to Friday. | |
| isBetweenTime("f", "start", "end") | String (ISO8601) | String ("HH:MM") | True if falls within range. |
Example: Multi-Condition Detection
where: >
exists("origin.ip") &&
!inCIDR("origin.ip", "10.0.0.0/8") &&
(startsWith("origin.user", "admin_") || equals("origin.user", "root"))