Appearance
JavaScript API
Complete function reference for reaction code.
Global Variables
Available in every reaction:
kind(string) - Detection event typename(string) - Detection recipe nameuuid(string) - Event unique identifierdata(object) - Complete event details (JSON)
Logging Functions
Info(message)
Logs informational message.
javascript
Info("Reaction executed successfully");Warn(message)
Logs warning message.
javascript
Warn("Suspicious activity detected");Error(message)
Logs error message.
javascript
Error("Failed to block malicious IP");Network Policy Functions
WARNING
Requires netpolicy feature enabled.
NetBlockIp([ipAddress])
Blocks network traffic to/from IP addresses.
Parameters:
ipAddress(optional) - Specific IP to block. If omitted, blocks all remote IPs from event.
Returns:
0- Success1- Already blocked-1- Error (useErrno())
javascript
NetBlockIp("192.168.1.100"); // Block specific IP
NetBlockIp(); // Block all from eventNetUnblockIp(ipAddress)
Unblocks IP address.
Returns: 0 (success), 1 (already unblocked), -1 (error)
javascript
NetUnblockIp("192.168.1.100");NetBlockIpTimer(ipAddress, durationSeconds)
Blocks IP for specific duration.
javascript
NetBlockIpTimer("192.168.1.100", 30); // Block for 30 secondsNetBlockDomain([domain])
Blocks network traffic to domains.
Parameters:
domain(optional) - Specific domain. If omitted, blocks all from event.
javascript
NetBlockDomain("malicious-site.com");
NetBlockDomain(); // Block all from eventProcess Management
KillCurrent()
Terminates the current process.
Returns: 0 (success), 1 (already exited), -1 (error)
javascript
let result = KillCurrent();
if (result === 0) {
Info("Process terminated");
}KillParent()
Terminates parent process.
javascript
KillParent();KillProcess(pid)
Terminates specific process by PID.
Safety: Protected against killing system processes (PID < 500).
javascript
KillProcess(1234);File System Functions
ReadFile(path)
Reads file contents.
Returns: File contents (string) or "" on error
javascript
let content = ReadFile("/etc/passwd");
if (content !== "") {
Info("File read: " + content.length + " bytes");
}WriteFile(path, data)
Writes data to file.
Returns: 0 (success) or -1 (error)
Security: Files created with 0600 permissions.
javascript
WriteFile("/tmp/incident.log", "Security incident");Stat(path)
Gets file information.
Returns: Object with size, mode, modTime, isDir or null on error
javascript
let info = Stat("/etc/passwd");
if (info) {
Info("Size: " + info.size);
Info("Modified: " + info.modTime);
}Temporary Directory Functions
CreateTempDir(pattern)
Creates temporary directory.
Parameters:
pattern- Directory pattern (must end with*)
Returns: Directory path or "" on error
Security: Only creates in /tmp directory.
javascript
let tmpDir = CreateTempDir("incident-*");
if (tmpDir !== "") {
WriteFile(tmpDir + "/evidence.json", JSON.stringify(data));
}RemoveDir(path)
Removes directory and contents.
Security: Only removes subdirectories within /tmp.
javascript
RemoveDir("/tmp/old-data");Data Store Functions
Persistent key-value storage across reaction executions. Each reaction has its own namespace.
DataSet(key, value)
Stores key-value pair.
Returns: 0 (success) or error code
javascript
DataSet("incident_count", "5");DataGet(key)
Retrieves value.
Returns: Stored value or "" if not found
javascript
let count = DataGet("incident_count");DataDelete(key)
Removes key-value pair.
javascript
DataDelete("temporary_data");DataPush(key, value)
Adds value to list.
javascript
DataPush("blocked_ips", "192.168.1.100");DataPop(key)
Removes and returns last value from list.
Returns: Popped value or ""
javascript
let lastIp = DataPop("blocked_ips");DataKeys()
Returns all keys.
Returns: JSON array of keys as string
javascript
let keysJson = DataKeys();
let keys = JSON.parse(keysJson);DataValues()
Returns all values.
Returns: JSON array of values as string
javascript
let valuesJson = DataValues();
let values = JSON.parse(valuesJson);DataClear()
Removes all key-value pairs for this reaction.
javascript
DataClear();DataSize()
Returns number of stored key-value pairs.
javascript
let size = DataSize();
Info("Data store contains " + size + " items");DataIsEmpty()
Checks if data store is empty.
Returns: true or false
javascript
if (DataIsEmpty()) {
Info("Data store is empty");
}DataHasKey(key)
Checks if key exists.
Returns: true or false
javascript
if (DataHasKey("incident_count")) {
Info("Count tracked");
}DataHasValue(value)
Checks if value exists.
Returns: true or false
javascript
if (DataHasValue("high_priority")) {
Info("High priority detected");
}Emergency Functions
DANGER
Use with extreme caution. For emergency security situations only.
PowerOff()
Initiates system shutdown.
Returns: 0 (success) or error code
javascript
PowerOff();Panic()
Triggers kernel panic to halt system.
javascript
Panic();Error Handling
Errno()
Returns error information for last failed operation.
Returns: Error message or ""
javascript
let result = NetBlockIp("invalid-ip");
if (result === -1) {
Error("Failed: " + Errno());
}Common Patterns
Error Checking
javascript
function process(data) {
let result = SomeFunction();
if (result === 0) {
Info("Success");
} else if (result === 1) {
Info("No effect (already done)");
} else {
Error("Failed: " + Errno());
return;
}
}Counter Tracking
javascript
let count = parseInt(DataGet("incident_count") || "0") + 1;
DataSet("incident_count", String(count));
DataSet("last_incident", new Date().toISOString());
Info("Incident #" + count);Network Flow Processing
javascript
let ips = [];
if (data?.background?.flows?.protocols) {
for (let protocol of data.background.flows.protocols) {
if (protocol?.pairs) {
for (let pair of protocol.pairs) {
if (pair?.nodes?.remote?.address) {
ips.push(pair.nodes.remote.address);
}
}
}
}
}
for (let ip of ips) {
NetBlockIp(ip);
}Evidence Collection
javascript
let forensicDir = CreateTempDir("evidence-*");
if (forensicDir !== "") {
let evidence = {
timestamp: new Date().toISOString(),
event_uuid: uuid,
process: data.process,
file: data.file
};
let file = forensicDir + "/evidence.json";
WriteFile(file, JSON.stringify(evidence, null, 2));
}