Documentation

Strings functions

Functions in the strings module

Suggest Edits

concat

strings.concat(sub: string, ...) -> string

concat combines multiple strings together in order. This could be be used later by other string comparisons or list lookups.

Examples

strings.concat("no-reply", "@sublimesecurity.com") -> "[email protected]"
strings.concat(null, "@sublimesecurity.com") -> null
strings.concat(sender.email.local_part, "@different_domain.com") -> "[email protected]"

// Escaped email in a URL (@ escapes to %40)
strings.concat(sender.email.local_part, "%40", sender.email.domain)

contains / icontains

strings.contains(source: string, substring: string) -> bool
strings.icontains(source: string, substring: string) -> bool

contains is used to check if one string contains a specific substring. contains performs a case-sensitive substring search, but icontains is case-insensitive. These strings can be literal strings, fields, or values from functions.

If either string is null, then contains and icontains will return null.

Examples

strings.contains("[email protected]", "@sublimesecurity.com") -> true
strings.contains("[email protected]", "@sublime") -> true
strings.contains("[email protected]", "@SuBLiMe") -> false
strings.icontains("[email protected]", "@SuBLiMe") -> true
strings.icontains("[email protected]", null) -> null

count / icount

strings.count(source: string, substring: string) -> bool
strings.icount(source: string, substring: string) -> bool

count is used to count the number of occurrences of a substring within another string. count only counts case-senstive occurrences but icount counts all case-insensitive occurences. These strings can be literal strings, fields, or values from functions.

If either string is null, then count and icount will return null.

Examples

strings.count("An example string to search", " ") -> 4
strings.count("Banana nana nana", "na") -> 6
strings.icount("BaNaNa NaNa NaNa", "NA") -> 6

ends_with / iends_with

strings.ends_with(source: string, suffix: string) -> bool
strings.iends_with(source: string, suffix: string) -> bool

ends_with is used to check if one string has a specific suffix. ends_with performs a case-sensitive suffix check, but iends_with is case-insensitive. These strings can be literal strings, fields, or values from functions.

If either string is null, then contains and icontains will return null.

Examples

strings.ends_with("[email protected]", "@sublimesecurity.com") -> true
strings.ends_with("[email protected]", "@sublime") -> false
strings.ends_with("[email protected]", "@SublimeSecurity.com") -> false
strings.iends_with("[email protected]", "@SublimeSecurity.com") -> true
strings.iends_with("[email protected]", null) -> null

like / ilike

strings.like(input: string, pattern: string, ...) -> bool
strings.ilike(input: string, pattern: string, ...) -> bool

like is used to match a string against a list of predefined wildcard patterns. like performs a case-sensitive match against the entire string, but ilike is case-insensitive. Use wildcard characters to represent unknown substrings:

  • * is a placeholder for a string of any length, including empty strings
  • ? is a placeholder for a single character within the string

Remember that like and ilike are evaluated against the entire string. To look for a substring, wrap it in *, such as strings.ilike(body.plain.raw, "*password*"), or use strings.icontains(body.plain.raw, "password").

If input is null, then like and ilike will always return null.

Examples

strings.like("[email protected]", "*@sublimesecurity.com") -> true

# use ilike for case-insensitive matches
strings.like("[email protected]", "*@sublimesecurity.com") -> false
strings.ilike("[email protected]", "*@sublimesecurity.com") -> true

# if multiple wildcard patterns are specified, only one needs to match
strings.like("[email protected]", "*@*.org", "*@*.com", "*@*.gov") -> true

# use ? to match exactly 1 unknown character
strings.like("[email protected]", "[email protected]") -> true
strings.like("[email protected]", "[email protected]") -> false

levenshtein / ilevenshtein

strings.levenshtein(a: string, b: string) -> integer
strings.ilevenshtein(a: string, b: string) -> integer

levenshtein is used to calculate the Levenshtein edit distance between two strings. The returned value is equal to the minimum number of character operations (deletion, insertion, substitution) required to transform one string into the other. levenshtein finds the case-sensitive distance between the two strings, but ilevenshtein is case-insensitive.

strings.levenshtein('Bat', 'bot') -> 2
strings.ilevenshtein('Bat', 'bot') -> 1

parse_domain

strings.parse_domain(text: string) -> Domain

strings.parse_domain is used to parse a string into an MDM Domain object, like the one at sender.email.domain.root_domain.

  • text (required): The input text of the domain

If a domain cannot be parsed, the resulting object will be null.

strings.parse_domain("www.sublimesecurity.com")

{
 "domain": {
    "domain": "www.sublimesecurity.com",
    "root_domain": "sublimesecurity.com",
    "sld": "sublimesecurity",
    "tld": "com",
    "valid": true
  } 
}

parse_email

strings.parse_email(text: string) -> EmailAddress

strings.parse_email is used to parse a string into an MDM EmailAddress object, like the one at sender.email.

  • text (required): The input text of the email address.

If an email address cannot be parsed, the resulting object will be null.

strings.parse_email("[email protected]")

{
  "email": "[email protected]",
  "local_part": "foo",
  "domain": {
    "domain": "sublimesecurity.com",
    "root_domain": "sublimesecurity.com",
    "sld": "sublimesecurity",
    "tld": "com",
    "valid": true
  }
}

parse_json

strings.parse_json(j: string) -> object

strings.parse_json is used to parse a raw JSON string into an MQL JSON object.

If the JSON cannot be parsed, the resulting object will be null

You can traverse the resulting JSON object using the syntax as described on the syntax page

parse_url

strings.parse_url(text: string, strict=true) -> URL

strings.parse_url parses a string into an MDM URL object, such as the one at body.links[].href_url.

  • text (required): The input text of a URL.
  • strict (optional): If true, the URL must have an explicit schema, such as https://. To parse a URL without a scheme, manually set strict = false
strings.parse_url("https://www.sublimesecurity.com")

{
  "url": "https://www.sublimesecurity.com",
  "domain": {
    "domain": "www.sublimesecurity.com",
    "root_domain": "sublimesecurity.com",
    "sld": "sublimesecurity",
    "subdomain": "www",
    "tld": "com",
    "valid": true
  },
  "scheme": "https"
}

strings.parse_url("www.sublimesecurity.com", strict=false)

{
  "url": "https://www.sublimesecurity.com",
  "domain": {
    "domain": "www.sublimesecurity.com",
    "root_domain": "sublimesecurity.com",
    "sld": "sublimesecurity",
    "subdomain": "www",
    "tld": "com",
    "valid": true
  },
  "scheme": "https"
}

starts_with / istarts_with

strings.starts_with(source: string, prefix: string) -> bool
strings.istarts_with(source: string, prefix: string) -> bool

starts_with is used to check if one string has a specific prefix. istarts_with performs a case-sensitive prefix check, but iends_with is case-insensitive. These strings can be literal strings, fields, or values from functions.

If either string is null, then contains and icontains will return null.

Examples

strings.starts_with("[email protected]", "no-reply") -> true
strings.starts_with("[email protected]", "@sublime") -> false
strings.starts_with("[email protected]", "No-Reply") -> false
strings.istarts_with("[email protected]", "No-Reply") -> true
strings.istarts_with("[email protected]", null) -> null

Updated 5 months ago