Block definitions

The blocks are separated into the following categories:

The Data item block is the final output block. Every workspace starts with the Data item block, it can't be added from the toolbox or deleted from the workspace. It represents the key/value pair that is returned when the rule is run against an endpoint. Enter a key name in untitled and select a data type from the drop-down. Connect other blocks as input to create the query that results in the value.

The supported data types are:

  • bool (Boolean)
  • long
  • double
  • string
  • datetime

By default, all rules are evaluated in a system context. In version 1.0.5 or higher, you can configure the runtime context. The possible values are System and User. Specifying User makes it easier to retrieve user-specific properties that are only available when there is a logged in user profile. Select a runtime context from the drop-down.

When runtime context is set to User and there is no user logged in at the time the rule is evaluated, no data is returned.

Convert is implicitly performed on the input to the Data item block when you select the type. For example, if your logic returns a number but the type is string, the block converts the number to a string. However, it's not possible to convert all data types to a supported data type.

The Array category contains blocks that are useful for manipulating arrays. Arrays aren't a supported data type, but they are often returned from blocks such as the blocks in the WMI category and the Registry category. Use blocks in the Array category to manipulate the array so it results in a data item scalar return type.

The following blocks are available in the array category:

Array element
Use the array element block within the map array block or the filter array block to reference the current array element. It has no meaning on its own and should only be used with the map array block or the filter array block.
Reduce current value
Use the reduce current value block to refer to the current array element during a reduce operation. The reduce current value block should only be used with the reduce array block.
Reduce accumulator value
Use the reduce accumulator value block to refer to the accumulated value that is computed during a reduce operation and returned as the end result. The reduce accumulator value block should only be used the reduce array block.
Map array

Use the map array block to perform an action on every element of the input array. The output of this block is a new array containing the results of the action performed on the input array. Use the array element block to reference the current element of the input array.

For example, given an array of integers, you could define an action that multiples each integer by a constant value. The output of the block would be a new array with each element multiplied by that constant value.

Filter array

Use the filter array block to perform a test on each element of the input array to determine if the element should be included in the block's output. Use the array element block combined with some logic to perform a test that results in a logical true or false value. If the test result is true for an element of the array, the element is included in the output array.

For example, if the input array elements are all integers, you could define logic that tests if each value is above a minimum value. The resulting array only contains those integers that are above that minimum value.

Reduce array

Use the reduce array block to perform an action on an input array and compute an accumulated value as the output. Use the reduce current value block to reference the current value in the array and the reduce accumulator value block to reference the computed value. When you use this block, you also attach an initial value which becomes the reduce accumulator value when the first element in the array is processed. The output of the reduce array block is often not an array, but it still can be.

For example, if you have an input array of numeric values, you can compute the sum of all the values. Attach the arithmetic block with the addition operator in using action. Use the reduce accumulator value block and the reduce current value block as inputs. Use the number block set to zero as the initial value input. The output of the block is a numeric value of the sum of all elements in the input array.

Verify

Use the Verify block to perform a test on each element of the input array. Depending on the value you select in the drop-down, the test determines if all, none, or some of the elements in the array match some condition. The result is a Boolean value of true or false.

For example, if the input is an array of integers, you could define logic that will test if some of the values are above a minimum value. The output is true if any of the values is above that minimum value.

Merge arrays

Use the merge arrays block to take multiple array inputs and merge them to a single array as the output of the block. Arrays merged in this way don't have to contain the same element types, you can merge a numeric array with a string array. Arrays are always concatenated in the order they are input, they aren't interleaved.

Use to increase or decrease the number of array inputs.

Set array elem in array

Use the set array elem in array block to modify an element in an existing array without using a map array block. Map arrays can be inefficient, especially for large arrays. The map array must iterate through every array element, even if you only want to modify the value of an element at one index.

For example, if you know you are dealing with an array that is always of the same length, you might want to adjust the array element at a known index instead of iterating the whole array.

The Constants category contains blocks that are used as inputs to many of the other blocks. For instance, you might need to specify a string constant value as the input to a WMI query or to a registry key path. You could also use a block in the Constants category as a numeric constant in a mathematical operation.

The following blocks are available in the Constants category:

String

Use the string block to insert a string constant as an input to another block.

For example, you can use a string constant to specify the WMI class input parameter to a WMI query block.

Bool

Use the bool block to return a constant Boolean value of true or false.

For example, you can use this block in comparisons or as a return value from a sequence block.

Array

Use the array block to define a constant array in your Data item logic. Although an array can't be directly returned from the Data item block, it can be useful to define an array for map or other operations. The array block can also be useful for testing logic in custom blocks when the input is expected to be an array.

Use to increase or decrease the number of inputs in the array.

Object

Use the object block to define a collection of key/value pairs to be used as input into another block. Although an object can't be directly returned from the Data item block, it can be useful as temporary storage of retrieved values or as text input to custom block inputs.

This block is initially configured with a key/value pair block. The key/value block is configured with a string block as the key input. You can add additional key/value pair blocks to the object block by dragging them into the C-shaped opening.

Key/value pair

Use the key/value pair block in the object block. One or more key/value pair blocks can make up an object block.

This block is initially configured with a string block as key input.

Milliseconds since system start

Use the milliseconds since system start block to return the number of milliseconds that have occurred since the system was started. This block can be used with date/time blocks to write logic related to system start times.

Requires DataExplorer Builder version 1.0.5 or higher

OS platform

Use the OS platform block to provide a result indicating the platform the rule is being evaluated on. The possible return value is windows.

Rule trigger

Use the rule trigger block to return the id of the trigger (event) that occurred to cause the rule evaluation. Currently, this is always Periodic (daily) but there might be additional supported trigger types in the future.

Requires DataExplorer Builder version 1.0.5 or higher

User sessions

Use the user sessions block to return an array of the user session object for the endpoints. The array returns the following properties, which may or may not be filled out:

  • domain
  • id
  • remote
  • unlocked
  • lastinput
  • state
  • timeConnected
  • timeDisconnected
  • timeLoggedOn
  • username
  • winStation

Requires DataExplorer Builder version 1.0.5 or higher

Console session id

Use the console session id block to return the session id of the user that is logged in to the console. The session id can be matched against the id returned from the user sessions block to get more information on the logged in user.

Requires DataExplorer Builder version 1.0.5 or higher

Number
Use the number block to define a numerical constant as an input to another block. Number blocks can be either integer or floating point values.
Current time
Use the current time block to return the current date and time in UTC as a Unix timestamp with milliseconds. The Unix timestamp is a long value showing the number of elapsed milliseconds since January 1, 1970.
Client info

Use the client info block to return information about the endpoint. The information differs based on operating system and platform, and not all information is available for all platforms. The data is returned as an object type and specific fields can be accessed using a get value block from the Data category. Some fields that are returned on the Windows platform include:

  • hostname
  • architecture (x64 or x86)
  • platform (windows)
  • osversion
  • lcid (locale id)
  • culture
  • cdcversion (requires DataExplorer Builder version 1.0.4 or higher)
Network info

Use the network info block to return information on the current networking environment. Some networking environment details returned include:

  • IPv4 address
  • IPv6 address
  • Public IPv4 address
  • WIFI interface (if active)

Requires DataExplorer Builder version 1.0.4 or higher

The Custom category includes your custom blocks that you create. The Custom category only appears when you have created a custom block.

The following blocks are available in the Custom category:

Custom block named
The custom block named block is the final output block for your custom logic. It is the starting block in every custom block, and can't be added from the toolbox or deleted from the workspace. Connect other blocks as input to create the logic for the custom block.
Custom block input

Use the custom block input block to add variable inputs to your custom block.

The custom block input block is only available when you are in block editor mode.

The Data category generally includes blocks that can be used to manipulate or save data during rule evaluations.

The following blocks are available in the Data category:

Get value

Use the get value block to access a value stored in an array or an object during rule evaluation. Certain blocks, such as the WMI query block, return array or object types. If the from input is an array, the get value input is a string containing the array index for the data to return. If the from input is an object, the get value input is a string containing the key name for the input object to return. You can use dot notation to access child objects and child arrays from the input.

For example, if you have an array of objects and each object has a name property, you can access the name of the first object in the array using the syntax: '0.name'.

Sort

Use the sort block to sort an array or object. Sorting occurs for two levels: current level and one level deeper. If data types other than array or object are passed, the output is null. Select Ascending or Descending from the drop-down to specify the sort order.

Requires DataExplorer Builder version 1.0.12 or higher

Copy data

Use the copy data block to take an input and do one of the following, depending on the data type:

  • array or object: copy the input and store the new variable at a different memory location
  • string, bool, long, or double: pass the input unchanged

Requires DataExplorer Builder version 1.0.12 or higher

Get length of
Use the get length of block to return the length of the input value where the input value is an array or a string. If the input is an array, the get length of block returns the number of elements in the array. If the input is a string, the get length of block returns the number of characters in the string.
Get type of

Use the get type of block to return the data type of the input value. You can use this block to alter the results of a WMI query or scripting block where the type might be unknown until the call is made.

Requires DataExplorer Builder version 1.0.4 or higher

Get variable named

Use the get variable named block to access a value previously stored using the set variable block.

Variables are temporary and their values only persist in the current rule evaluation session. They aren't accessible to other rules.

This block is initially configured with the string block used as the input.

Set variable named

Use the set variable named block to set a temporary variable that can be referenced later in the rule logic using the get variable block. You can use the set variable block on complex rules where you might pull data from somewhere expensive (WMI) but need to reference it several times in the same rule evaluation. Rather than performing the same expensive query multiple times, you perform it once and save the result to a named variable. You can then reference the variable anywhere you need to refer to that data. The set variable block returns the input data as the output so it can be used as a passthrough function to save and return the data.

Variables are temporary and their values only persist in the current rule evaluation session. They aren't accessible to other rules.

This block is initially configured with the string block used as the first input.

Convert to type

Use the convert to type block to attempt to convert the input data to the data type specified in the drop-down list. If a conversion is possible, this block outputs the converted data. As there is an implicit convert applied to the input of the Data item block, the convert to type block isn't be required as the input block for the Data item block. The available types in the drop-down list are:

  • bool (Boolean)
  • long
  • double
  • string
  • datetime
  • array
  • object

For example, you might want to convert a floating point result from one of the block outputs to an integer value.

It's not possible to convert all data types to other data types. For example, if you try to covert an array to a Boolean, incorrect or error results are returned.

Reverse input
Use the reverse input block to flip the input value. You typically use this block to reverse the order of the elements in an array input or to reverse the order of the characters in a string input. This can sometime be helpful for certain WMI queries where the data is returned in the incorrect order.

The File category contains blocks that are useful for performing file and directory query operations on an endpoint. Many file and directory operations take a path string as input. Make sure that the specified paths are available on all endpoints the rule will be evaluated on. No path separator conversion is performed so Windows and *nix path string constants should be specified in platform specific conditionals with appropriate separators, or the Join path block should be used.

The following blocks are available in the File category:

Retrieve file property

Use the Retrieve file property block to retrieve either a single attribute or all of the attributes from a file at a specific input path. Use the drop-down to select the single attribute or to select All. Not all file attributes are available on all platforms. If you specify a single attribute, this block returns the value for the specified attribute. If you specify all of the attributes, this block returns an object of key/value pairs containing every attribute available. The possible attributes available for Windows are:

  • All
  • Name
  • Extension
  • Company Name
  • Creation Time
  • Description
  • Last Write Time
  • Product Name
  • Product Version
  • Size
  • Version Major Value
  • Version Minor Value
  • Version String
Retrieve digital certificate property

The Retrieve digital certificate property block retrieves the signing certificate properties for the input file. The supported properties are:

  • Effective date
  • Expiration date
  • Hash algorithm
  • Serial number
  • Subject
  • Timestamp
  • Thumbprint

Requires DataExplorer Builder version 1.0.4 or higher

Check if the file exists
Use the Check if the file exists block to check for the existence of a file at a specific input path. This block returns a Boolean value of true if the file exists or false if the file doesn't exist or isn't a file.
Retrieve hash

Use the Retrieve hash block to compute a hash value and return it as a string for the input file. If the input doesn't exist, this block returns null. Select MD5, SHA1, or SHA256 from the drop-down to specify the type of hash to retrieve.

Consider performance when using this block. Hashing large files can be computationally expensive and should be avoided.

Hashes are not encryption and shouldn't be used to protect sensitive data.

Get lines from file

Use the Get lines from file block to read a specified number of lines from the input file, which is typically a text file, and return the lines as output in an array. If the input path doesn't exist, the block returns null.

For example, you might use the Get lines from file block to read specific lines from a configuration file on the endpoint if you know the configuration is stored at a consistent position within the file.

Read the text from file

Use the Read the text from file block to read all the lines from the input, which is a text file, and return the data as a string. The returned string data contains newline characters that can be used to split the string into an array using the split string block.

Consider performance when using the Read text from file block if the input is a large text file as all of the text data is read into memory.

Find files from directory
Use the Find files from directory block to return an array containing all the files from the input path that match a specified file pattern. Select Include subfolders if you want to configure the Find file from directory block to also include files in subdirectories. Select Include hidden files if you want to configure the Find file from directory block to also include hidden files. Select Include system files if you want to configure the Find file from directory block to also include files in subdirectories.
Check if the directory exists

Use the Check if the directory exists block to detect if the directory specified by the input value exists. This block returns a Boolean value of true if the directory exists or false if the directory doesn't exist or isn't a directory.

Use this block to check that the path exists if you are using a hardcoded path in any of the File blocks. If the directory doesn't exist, you can provide a default response, such as File not found, in your data item.

Join path

Use the Join path block to combine two path fragments into a single path fragment without needing to worry about platform appropriate separators or leading and trailing separators. When you pull path fragments from the registry, the resultant value may or may not have a trailing path separator. Use the Join path block to combine the two paths without writing logic to detect or trim the separators. This block doesn't validate that the inputs passed to it result in a valid or fully qualified path. Use the Check if the file exists or the Check if directory exists blocks first if you need to validate the path.

For example, you might use the Join paths block if you pulled the root install folder for an application from the registry and wanted to look for a specific file in that folder.

Check if the file is trusted

The Check if file is trusted block returns a Boolean value indicating if the input file is trusted (signed). This block can also validate that the entire certificate chain is valid. Optionally, you can choose to only use the offline revocation list.

Requires DataExplorer Builder version 1.0.4 or higher

The Logic category contains blocks that assist with the logical flow of the data item rule evaluation.

The following blocks are available in the Logic category:

Function exists

The Function exists block returns a Boolean value indicating if the name function exists in the set of supported DataExplorer Builder methods. This block can be used to help make rules backwards compatible with older versions of DataExplorer Builder.

Requires DataExplorer Builder version 1.0.4 or higher

Boolean comparison

Use the Boolean comparison block to chain together a sequence of actions to return Boolean value based on whether the actions succeed and the drop-down value you select. If you select and, each action is evaluated until one action returns false, or until they all return true. If you select or, each action is evaluated until one action returns true, or until they all return false.

Use to increase or decrease the number of actions.

Perform sequential actions

Use the perform sequential actions block to chain together a sequence of actions and return a final result as the output value for the block. This can be useful when you are setting up variables at the beginning of rule evaluation or you are performing some sequence where you don't want to structure the results as true or false to fit into the Boolean comparison block.

Use to increase or decrease the number of actions.

If then else

Use the if then else block to check whether a condition is true. If the condition is true, the block performs the logic attached to the then input. If the condition is false, the block performs the logic attached to the else input.

Use to increase or decrease the number of else if inputs.

Comparison

Use the comparison block to compare input values using standard comparison operators. The comparison results are returned as a Boolean value of true or false. The comparison operators you can select from the drop-down are:

  • == (equal to)
  • != (not equal)
  • <= (less than or equal to)
  • >= (greater than or equal to)
  • > (greater than)
  • < (less than)

Use to increase or decrease the number of inputs for comparison.

Try/catch
Certain operations throw errors if they fail, for instance querying a nonexistent WMI class. Use the try/catch block to catch expected errors that might occur when performing the try operation and return a default result from the catch input instead. If an error occurs during evaluation that is not caught, an error payload is generated and the data item isn't populated.
Throw error

Use the throw error block to throw the string specified in the input and stop evaluating the rule if an error is encountered in the rule evaluation and the try/catch block isn't used. You can use this rule to prevent sending a data item if a critical situation is encountered and send an error payload for troubleshooting instead. You can also use the throw error block with the try/catch block to handle a critical error with a default value.

This block is initially configured with a string block as the input.

Last error

Use the last error block to return information about the last error thrown. This block only returns a value if a try/catch block is used and the error has been previously caught.

Requires DataExplorer Builder version 1.0.4 or higher

Skip evaluation
Use the skip evaluation block to immediately skip rule evaluation for the current interval without creating a payload. The rule is evaluated again on the next scheduled interval or event. You can use this block if there are conditions on the endpoint where collecting the data is not possible or not desired.

The Numeric category contains blocks that provide functions useful for dealing with numeric values.

The following blocks are available in the Numeric category:

Arithmetic

Use the Arithmetic block to perform various arithmetic operations on the input values. The following operations are supported:

  • + (addition)
  • - (subtraction)
  • * (multiplication)
  • / (division)
  • max
  • min

Use to increase or decrease the number of input values.

Modulus
Use the Modulus block to return the modulus (remainder) of the first input value when divided by the second input value. This can be helpful in determining if a numeric value is evenly divisible by some other value.
Bitwise

Use the bitwise block to perform various bitwise operations on the input numeric value and return the resulting numeric value. The following bitwise operations are supported:

  • & (AND)
  • | (OR)
  • ^ (XOR)
  • >> (right shift)
  • << (left shift)

The Object category contains blocks that are useful in dealing with object data types containing key/value pairs. Object data types are often returned as the results of WMI query blocks.

The Object category requires DataExplorer Builder version 1.0.4 or higher.

The following blocks are available in the Object category:

Set on object

Use the set on object block to specify a key and a value for the input object. If the input object already contains a key/value pair, the key/value pair is replaced with the key and value that you specified in this block. If there is no key/value pair, the specified key and value are added.

Requires DataExplorer Builder version 1.0.5 or higher

Filter object

Use the filter object block to perform a test on each key/value pair in an input object to determine if the key/value pair should be included in the block's output. Use the input object block combined with some logic to perform a test that results in a logical true or false value. If the test result is true for the key/value pair, the key/value pair is included in the output object.

Requires DataExplorer Builder version 1.0.4 or higher

Map object

Use the map object block to perform an action on every key and value of the input object. The output of this block is an new object containing the results of the action performed on each key and each value in the object.

Requires DataExplorer Builder version 1.0.4 or higher

Map object key

Use the map object key block in the map object or filter object block to reference the key component of the current key/value pair. It has no meaning on its own and should only be used with the map object block or the filter object block.

Requires DataExplorer Builder version 1.0.4 or higher

Map object value

Use the map object value block in the map object or filter object block to reference the value component of the current key/value pair. It has no meaning on its own and should only be used with the map object block or the filter object block.

Requires DataExplorer Builder version 1.0.4 or higher

Compare object

Use the compare object block to compare the key/value pairs in two input objects. This block returns a Boolean value of true if the key/value pairs in the two input objects match.

Requires DataExplorer Builder version 1.0.4 or higher

The Registry category contains blocks that are useful for retrieving data from the Windows registry. You can select the following values from the hive drop-down for all of the blocks in the Registry category:

  • LocalMachine
  • ClassesRoot
  • Users

For the blocks in the Registry category, use care when specifying the x32 or x64 from the view drop-down as some registry keys are redirected on x64 platforms, such as the registry keys in HKEY_LOCAL_MACHINE\SOFTWARE.

The following blocks are available in the Registry category:

Registry value

Use the registry value block to query a registry value for the registry hive using the input registry path and name. This block returns the value as the block output or null if the value isn't found.

This block is initially configured with a string block used as the input for the path and a string block used as the input for the name.

Registry exists

Use the registry exists block to return a Boolean value indicating whether the registry key or value specified in name exists at the specified path for the registry hive.

This block is initially configured with a string block used as the input for the path and a string block used as the input for the name.

Requires DataExplorer Builder version 1.0.6 or higher

Registry keys

Use the registry key block to retrieve all subkeys for the registry hive using the input registry path. This block returns the subkeys as an array.

This block is initially configured with a string block used as the input for the path.

Registry values

Use the registry values block to retrieve all the registry values for the registry hive using a specified key in the input registry path. This block returns the registry values as an object containing key/value pairs for all the values.

This block is initially configured with a string block used as the input for the path.

The scripting category contains blocks that will allow system commands or scripts to be evaluated on endpoints.

Due to restrictions imposed by Microsoft, data points that use PowerShell are not supported on devices running Windows 11 SE.

The following blocks are available in the Scripting category:

Run process advanced
Use the Run processed advanced block to shell out any command with associated base64 encoded ZIP payload and arguments to be run during rule evaluation. Reference files from within the encoded ZIP payload using %workingpath% replacement string. The output of this block can be one of the following:
  • stdout: standard output
  • stderr: standard error
  • exit: code
  • all: an object containing standard output, standard error, and the exit code
Run powershell script

Use the Run powershell script block to run the specified encoded PowerShell script on a Windows endpoint. PowerShell scripts are run with ByPass execution policy so they don't need to be signed before evaluating them on an endpoint.

When you add the Run powershell script block for the first time, the block prompts for a PowerShell script file (.ps1). The block encodes the PowerShell script into your rule in base64. If you didn't select a PowerShell script when you initially added the block or you want to use a different script, see Updating an encoded file.

Pass an argument to the script using an argument input. Arguments are passed literally, so arguments with spaces should be quoted. To use a named argument, use -argumentName value. Use to increase or decrease the number of argument inputs.

Passing arguments requires DataExplorer Builder version 1.0.7 or higher

The output of this block can be one of the following:

  • stdout: standard output
  • stderr: standard error
  • exit: code
  • all: an object containing standard output, standard error, and the exit code

This block is intended to run PowerShell scripts that query data from the endpoint and should not be used for remediation.

Run command

Use the Run command block to run any arbitrary command with specified arguments on the endpoint. An optional payload can be attached as an additional input. The optional payload should be a base64 encoded zip file containing the payload contents. Use the encoded file block to assist with encoding a payload as input. The output of this block can be one of the following:

  • stdout: standard output
  • stderr: standard error
  • exit: code
  • all: an object containing standard output, standard error, and the exit code

This block is intended to run commands that query data from the endpoint and should not be used for remediation.

Encoded file

Use the encoded file block as a helper block to assist in encoding a zip file from the filesystem for use in the Run command block. By itself, the encoded file block doesn't do anything besides return a string value which is the base64 encoded file.

When you add the encoded file block for the first time, the block prompts for a file. The block encodes the file into your rule in base64. If you didn't select a file when you initially added the block or you want to use a different file, see Updating an encoded file.

The string category contains blocks that are functions that can be use to manipulate or format strings.

The following blocks are available in the String category:

Unescape string

Use the unescape string block to remove JSON escape characters from an input string. Since all rules are saved in JSON, adding special characters when using DataExplorer Builder automatically inserts escape characters so that a valid JSON file can be exported. This can sometimes result in strings that are incorrect when passed to scripting nodes. This block can be used to remove the resulting escape characters at runtime so special characters can be interpreted.

Requires DataExplorer Builder version 1.0.4 or higher

Escape string

Use the escape string block to apply JSON escaping to an input string in the same way that special characters are escaped when exporting rules to JSON from DataExplorer Builder. Some external calls, such as scripting blocks, return strings that have special characters that can be difficult to deal with in JSON format. This block applies JSON escaping to these input strings.

Requires DataExplorer Builder version 1.0.4 or higher

Test if
Use the test if block to test if the string specified in the first input is a substring of the string specified in the second input. The result is a Boolean value of true or false.
Test if starts with

Use the test if starts with block to test if the string specified in the first input starts with the string specified in the second input. The result is a Boolean value of true or false. Select comparing from the drop-down if case should be considered in the comparison. Select ignoring if case shouldn't be considered in the comparison.

Requires DataExplorer Builder version 1.0.5 or higher

Test is ends with

Use the test if end with block to test if the string specified in the first input ends with the string specified in the second input. The result is a Boolean value of true or false. Select comparing from the drop-down if case should be considered in the comparison. Select ignoring if case shouldn't be considered in the comparison.

Requires DataExplorer Builder version 1.0.5 or higher

Starting from
Use the starting from block to return an index of the substring in the return index of input from the string in from input. Select beginning from the drop-down to get the first index of the string. Select end from the drop-down to get the last index. The value returned is a numeric value containing the index, or -1 if the string in return index of isn't in from input.
Concatenate strings

Use the concatenate strings block to concatenate a sequence of strings together into a single string result.

Use to increase or decrease the number of inputs to concatenate in the sequence.

Get substring of
Use the get substring of block to retrieve a substring from the get substring of input starting at a specified index. Optionally, you can specify the length of the substring to limit the length of the returned string. The value returned is the substring, if found, or null if the index is invalid.
Replace in string
Use the replace in string block to replace all instances of the old value input with the new value input in the replace in string input. The value returned is the replace in string input string with all instances of the old value replaced.
Split string
Use the split string block to split the split string input using the specified at separator input string. The value returned is an array of strings.
Join array
Use the join array block to join the input array together, using the specified separator between each string. The value returned is a string.
User sid
Use the user sid block to return the Security ID (SID) for the specified domain and username.

Requires DataExplorer Builder version 1.0.5 or higher

Trim string

Use the trim string block to remove one of the following:

  • one leading character specified in the front input string
  • one trailing character specified in the back input string
  • one leading character specified in the front of the input string and one trailing character specified in the back input string.

Typically, you would use this block to remove whitespace or newline characters that might be present in a string that is returned from a script or a registry.

Set string case
Use the set string case block to set the input to all uppercase or all lowercase, depending on the value you select in the drop-down. This block can be useful when doing string comparisons and the case of the string isn't necessarily consistent across endpoints.
Regular expression match
Use the regular expression match string to perform a regular expression match on the input string input using the match pattern input. The block returns a Boolean response of true if there is a match and false if there isn't. The regular expression pattern syntax is based on .NET regular expression syntax.
Format time
Use the format time block to format the date/time value in the time input in Unix time with milliseconds, such as the current time block, to a string value using the specified format string input. Select UTC from the drop-down if the time input is in UTC or select local from the drop-down in the time input is in local time. The format string input should use a format supported by .NET Standard date and time format strings.
Parse date string
Use the parse date string block to parse a string containing a date/time value and return the numeric value of the Unix timestamp with milliseconds. This block supports date/time strings formatted using .Net Standard date and time format strings and WMI date/time strings.
Some date/time formats aren't valid for parsing. You may need to manipulate the date string before you use as the date string input.
Get environment string

Use the get environment string block to return environment strings from the platform that the rule is evaluated on. If there is no environment string value specified as input, this block returns an output object containing all environment string for the runtime environment. Often environment strings can contain useful common paths that can be appended for file functionality.

Some environment variables are related to the currently logged in user. When you evaluate a rule that uses an environment variable that needs a user to be logged in, you see the result in DataExplorer Builder. However, when the data point is added to the Custom Data policy, it may be run on an endpoint with no user is logged in. This means the key/value pair returned from the endpoints might not be the same as the key/value pair obtained through DataExplorer. You should include logic to handle this type of variable.

Get local string for lcid

The get local string for lcid block returns the human readable locale string for an input locale id (LCID).

Requires DataExplorer Builder version 1.0.4 or higher

Retrieve hash for string

The Retrieve hash for string block returns the hash for the string specified in the input. Select MD5, SHA1, or SHA256 from the drop-down to specify the type of hash to retrieve.

Requires DataExplorer Builder version 1.0.12 or higher

The WMI category contains functions for querying data from Windows Management Interface (WMI) on Windows endpoints.

The following blocks are available in the WMI category:

Simple WMI query

Use the Simple WMI query block as a simplified interface for querying a WMI list of well-known classes and properties. It can sometimes be difficult knowing which classes exist and what properties are there for each class. This block presents a drop-down list of classes and uses a Typed property block that only lists the properties for the selected class. When you select a class from the drop-down, this block returns an array if the class is multi-instance, or an object if the class is single-instance.

This block is initially configured with a Typed property block. You can add additional Typed property blocks to the Simple WMI query block by dragging them into the C-shaped opening.

Typed property
Use the Typed property block with Simple WMI query block to select properties for the selected WMI class. The values in the Typed property block drop-down change based on the value selected in the class selected in the FROM ROOT\CIMV2 drop-down of the connected Simple WMI query block. The default for this block is to return all properties.
WMI query

Use the WMI query block for classes that the Simple WMI query block doesn't provide and for namespaces that are custom to certain environments. The WMI query block performs the same kind of WMI query but allows you to explicitly specify the WMI namespace, class, and property inputs. Use the drop-down to specify whether the query should return the results as an array (all instances) or an object (first instance). If you choose to return an object for a multi-instance WMI class, the WMI query block returns the first instance.

This block is initially configured with a string block in the namespace input, a string block in the class input, and a string block in the SELECT input. The default values are added as guides to help you configure this block.

Use to increase or decrease the number of SELECT inputs.

Get WMI property

The other WMI query blocks return the data as either an array or an object. To access specific fields in those responses, you have to use the get value block and specify an array index, a key, or both in the WMI results. There are times when you want to simply query for a single value from WMI and not add this complexity to your rule. Use the Get WMI property block to query for a single property from a WMI class and return the value as the result, instead of an array or object. The return type depends on the property that is queried.

This block is initially configured with a string block in the WMI property input, a string block in the namespace input, and a string block in the class input. The default values are added as guides to help you configure this block.