ADM rule metric references

Here are lists of metric references for ADM rule expressions, which are available on the Expression Component page when you are adding an ADM rule.

For Common Properties and Common Anomalies, the parameter-type value you can enter for each one is shown in parentheses after the metric reference.

Common Properties

Property or term Description
Protocol (Number) The application protocol (HTTP, FTP, SMTP)
Object Content (String) The content of an object (text inside a document, email message, chat message). Content matching is not available for binary data. Binary objects can, however, be detected using Object Type (objtype)
Object Type (Number) Specifies the type of the content as determined by ADM (Office Documents, Messages, Videos, Audio, Images, Archives, Executables)
Object Size (Number) Size of the object. Numeric multipliers K, M, G can be added after the number (10K, 10M, 10G)
Object Hash (String) The hash of the content (currently MD5)
Object Source IP Address (Number) The source IP address of the content. IP address can be specified as 192.168.1.1, 192.168.1.0/24, 192.168.1.0/255.255.255.0
Object Destination IP Address (Number) The destination IP address of the content. IP address can be specified as, 192.168.1.1, 192.168.1.0/24, 192.168.1.0/255.255.255.0
Object Source Port (Number) The source TCP/UDP port of the content
Object Destination Port (Number) The destination TCP/UDP port of the content
Object Source IP v6 Address (Number) The source IPv6 address of the content
Object Destination IPv6 Address (Number) The destination IPv6 address of the content
Object Source MAC Address (mac name) The source MAC address of the content (aa:bb:cc:dd:ee:ff)
Object Destination MAC Address (mac name) The destination MAC address of the content (aa:bb:cc:dd:ee:ff)
Flow Source IP Address (IPv4) Source IP address of the flow. IP address can be specified as 192.168.1.1, 192.168.1.0/24, 192.168.1.0/255.255.255.0
Flow Destination IP Address (IPv4) Destination IP address of the flow. IP address can be specified as 192.168.1.1, 192.168.1.0/24, 192.168.1.0/255.255.255.0
Flow Source Port (Number) Source TCP/UDP port of flow
Flow Destination Port (Number) Destination TCP/UDP port of flow
Flow Source IPv6 Address (Number) Source IPv6 address of the flow
Flow Destination IPv6 Address (Number) Destination IPv6 address of the flow
Flow Source MAC Address (mac name) Source MAC address of the flow
Flow Destination MAC Address (mac name) Destination MAC address of flow
VLAN (Number) Virtual LAN ID
Day of Week (Number) The day of the week. Valid values are 1–7; 1 is Monday.
Hour of Day (Number) The hour of the day set to GMT. Valid values are 0–23.
Declared Content Type (String) Type of the content as specified by the server. In theory, Object Type (objtype) is always the actual type and Declared Content-type (content-type) is not trustworthy because it can be spoofed by the server/application.
Password (String) Password used by the application for authentication.
URL (String) Website URL. Applies only to HTTP protocol.
File Name (String) Name of the file being transferred.
Display Name (String)
Host Name (String) Host name as specified in DNS lookup.

Common Anomalies

  • User logged off (Boolean)
  • Authorization error (Boolean)
  • Authorization successful (Boolean)
  • Authorization failed (Boolean)