matchbehavior()

The matchbehavior() function checks whether a specific key combination exists in a specified behavior profile.

Syntax

matchbehavior(STR_GUID, KEY_EXPR,...)

Parameters

STR_GUID: The GUID of the behavior profile. Must be a valid behavior profile identifier. If a non-existent GUID is specified, an error occurs at query parse time.
KEY_EXPR,...: A comma-separated list of key expressions. The order and number of key parameters must match the order and number of key fields defined in the behavior profile.

Description

The matchbehavior() function returns true if a record composed of the KEY_EXPR values exists in the specified behavior profile, or false if it does not.

Each KEY_EXPR must be passed in the order corresponding to the key fields defined in the behavior profile. The function evaluates each key expression to build a key-value map and searches the profile for an entry matching that map.

Even if a KEY_EXPR value is null, null itself is passed as the value in the key-value map.

Behavior profiles are managed in the Sonar web console under Policies > Behavior Profiles.

Error codes

N/A

Usage examples

Check whether the combination of src_ip and dst_port fields exists in a behavior profile

json "{'src_ip': '192.0.2.1', 'dst_port': 443}"
| eval result = matchbehavior("550e8400-e29b-41d4-a716-446655440000", src_ip, dst_port)
| # result: false

Use three key fields

json "{'user': 'alice', 'src_ip': '192.0.2.1', 'action': 'login'}"
| eval result = matchbehavior("550e8400-e29b-41d4-a716-446655440001", user, src_ip, action)
| # result: false

KEY_EXPR value is null

json "{'src_ip': null}"
| eval result = matchbehavior("550e8400-e29b-41d4-a716-446655440000", null, 443)
| # result: false

Compatibility

matchbehavior() has been available since before Sonar 4.0.