Reference list syntax

Supported in:

Google secops SIEM

You can use reference lists in the events or outcome sections. Here is the syntax for using various types of reference lists in a rule:

// STRING reference list
$e.principal.hostname in %string_reference_list

// REGEX reference list
$e.principal.hostname in regex %regex_reference_list

// CIDR reference list
$e.principal.ip in cidr %cidr_reference_list

You can also use the not operator and the nocase operator with reference lists as shown in the following example:

// Exclude events whose hostnames match substrings in my_regex_list.
not $e.principal.hostname in regex %my_regex_list

// Event hostnames must match at least 1 string in my_string_list (case insensitive).
$e.principal.hostname in %my_string_list nocase

The nocase operator is compatible with STRING lists and REGEX lists.

For performance reasons, the Detection Engine restricts reference list usage.

Maximum in statements in a rule, with or without special operators: 7
Maximum in statements with the regex operator: 4
Maximum in statements with the cidr operator: 2

For more information about reference list behavior and reference list syntax, see Reference Lists.

Need more help? Get answers from Community members and Google SecOps professionals.