Functions
Functions
Use functions in rules to identify specific information about resource types. Functions use following syntax:
<function>(<argument>)
Following are the functions used in NGL:
len
Usage: len
is a function which calculates the length of a list property or a string property, and returns it as an integer value.
Syntax: len(list_property1)
Example:
microsoft365 malwarefilterpolicy should-have len(FileTypes) > 0
Explanation: NGL will return all Microsoft365 apps’ malware filter policy whose length of file type is greater than 0.
age
Usage: age
is a function which calculates the time difference of a time property till the current time. It takes two parameters, the time property name and unit of time as a string, and returns an integer representing the time difference of that time property measured in the units provided to the function. The value of the property should be an integer representing an Epoch (Unix) time.
Syntax: age(time_property1, “unit_of_time”)
Example:
github repository should-have age(created_at , "days") > 1
Explanation: NGL will return a list of GitHub repositories which have been created before 1 day and greater.
text match
Usage: textmatch
is a function which evaluates the specified regular expression against a given string property. If the string contains the pattern, It returns true otherwise false. See different expressions used with textmatch
in How to use the textmatch
function article.
Syntax: textmatch(string_property, regex_pattern)
Example:
azuread oauth2permissiongrant should-not-have textmatch(scope, "AppRoleAssignment.ReadWrite.All") = true
Explanation: NGL will generate findings if the ‘scope‘ value is equal to the string “AppRoleAssignment.ReadWrite.All” (i.e. true).