Skip to content

Detection Logic

Jump to bottom
Souji edited this page Dec 25, 2023 · 4 revisions

Detection logic

Important

Every rule MUST have a detection key
Every detection section MUST have a condition key

The detection section defines a set of selections and their definitions that are evaluated to a boolean value and the detection expression combines these selections.

Selection keys can theoretically be named whatever you want, but there is a standard of using selection for basic selection operations and filter for selections that narrow the selection down. They can however not include spaces (since this messes with the condition parser).

A very simple detection setup could be "if the username is omega":

detection:
  selection:
    username: omega
  condition: selection

OR

Like sigma, omega uses YAML list syntax (dashes in front of every entry) to represent OR operations:

detection:
  selection:
    fieldname:
      - this # OR
      - that
  condition: selection

This also works across fields, with a list of key-value pairs:

detection:
  selection:
    - fieldname: this # OR
    - otherfieldname: that
  condition: selection

AND

Like sigma, omega uses YAML dictionary syntax (no dashes) to represent AND operations:

detection:
  selection:
    fieldname: this # AND
    otherfieldname: that
  condition: selection

Detection Methods

Keywords

If you do not specify a field name the pattern is evaluated against the entire structure, stringified. As stated above, keywords can be an arbitrary selection key, but using keywords is standard.

detection:
  keywords:
    - this # OR
    - that # OR
    - foo # OR
    - bar
  condition: keywords

Warning

Keywords are evaluated against the entire stringified structure!
Using specific field names will almost always be faster!

Field value

If you specify a key-value pair (YAML dictionary), the pattern is evaluated against that specific object field name.

detection:
  selection:
    username: Omega
  condition: selection

To check for multiple conditions, specify multiple keys!

detection:
  selection:
    username: Omega # AND where
    displayname: Sigma
  condition: selection

Field list

If you specify a list of key-value pairs, the pattern is evaluated against each specific object field name and value.

detection:
  selection:
    - username: Omega # OR where
    - displayname: Sigma # OR where
    - avatar|contains: 8f50eb
  condition: selection

Note

Read more about value modifiers like |contains that are appended to the field name here.

Condition

The condition key is reserved for a boolean expression that combines the other selection keys. In the above example, there is always just the selection condition to keep things simple. If you have more complex conditions, you should name your selection keys with verbose descriptors so the condition is easy to read and comprehend. A simple condition could be selection and not filter.

You can also use parentheses to be even more specific! Something like (a and b) or (c and not d) or ((not e and not f) or g) is theoretically valid! Try to keep it simple and use the power of field lists whenever possible, to keep conditions short!

Warning

1 of and all of are not currently supported in omega rules!

Clone this wiki locally