Skip to main content

In the documentation it seems that the arrays.contains function can be used like the following, 

arrays.contains($asset_id_list, "id_1234")

Is it possible to use the function with two variables so I can compare the list with a value in a UDM field?

The following code snippet shows a possible use case for this scenario:

 

rule Example_rule_for_arrays {

meta:
author = "amalone"
description = "Look for a spike in failed logins for a User account followed by a successful login from an IP address associated with a fail"
severity = "Low"

events:
$fail.metadata.event_type = "USER_LOGIN"
$fail.security_result.summary = /Failed/ nocase
$fail.target.user.userid = $user

$success.metadata.event_type = "USER_LOGIN"
$success.security_result.summary = /Success/ nocase
$success.target.user.userid = $user

$fail.metadata.event_timestamp.seconds <= $success.metadata.event_timestamp.seconds

match:
$user over 2d

outcome:
$Total_Fails = count($fail.target.user.userid) // count of total failed logins

$Failed_login_IPs_Count = count_distinct($fail.principal.ip) // Number of IPs with a failed login to the User
$Failed_login_IPs_List = array_distinct($fail.principal.ip) // Unique list of IPs with a failed login for the user

$Success_login_IPs_Count = count_distinct($success.principal.ip) // Number of IPs with a Successful login to the User
$Success_login_IPs_List = array_distinct($success.principal.ip) // Unique list of IPs with a Successful login for the user

condition:
// Look for at least 30 fails over 2 days from more than 3 IP addresses.
// QUESTION: Is there a way to say "The value of $success.principal.ip exists inside of $Failed_login_IPs_List"
// note: I don't want to match off of the IP as well as that will cut down on the number of failed login logs
//
// Want to do something like arrays.contains($Failed_login_IPs_List, $success.principal.ip) in the condition
$fail and $success and $Failed_login_IPs_Count > 3 and $Total_Fails > 30
}

 

 

Hi @amalone341,

Welcome to Google Cloud Community!


Yes, it is possible to use the `arrays.contains` function with two variables in the way you described. Here is how you can do it:

 

condition:
arrays.contains($Failed_login_IPs_List, $success.principal.ip) and
$fail and $success and $Failed_login_IPs_Count > 3 and $Total_Fails > 30 ​
This will check if the value of `$success.principal.ip` exists in the list `$Failed_login_IPs_List`, and the rest of the condition will be evaluated only if this is true.

 

Note that the `arrays.contains` function returns a boolean value (either `true` or `false`), so you can use it directly in a condition like this.

 

Thanks

Hi @amalone341,

Welcome to Google Cloud Community!


Yes, it is possible to use the `arrays.contains` function with two variables in the way you described. Here is how you can do it:

 

condition:
arrays.contains($Failed_login_IPs_List, $success.principal.ip) and
$fail and $success and $Failed_login_IPs_Count > 3 and $Total_Fails > 30 ​
This will check if the value of `$success.principal.ip` exists in the list `$Failed_login_IPs_List`, and the rest of the condition will be evaluated only if this is true.

 

Note that the `arrays.contains` function returns a boolean value (either `true` or `false`), so you can use it directly in a condition like this.

 

Thanks

Hey Christian,

Thanks for the response! 

When I put that snippet of code into the rule it says there is an error on the $success part of $success.principal.ip. The error is as follows:

parsing: error with token: "success"

expected )

line: 41 

column: 44-51

Commenting out the following line will result in a rule that runs properly.

arrays.contains($Failed_login_IPs_List, $success.principal.ip) and

 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.