Logical Operators
This topic describes the logical operators you can use in condition statements. Certain operators do not appear in circumstances where they are not applicable.
The insubnet operator uses a range of IP addresses. Use the following guidelines to input IP address ranges in a single string.
Caution: If you are defining conditions for IP address ranges in filters, queries, and rules, do not mix IPv4 and IPv6 addresses within the same IP address range.
|
Two-address range |
A two-address range is in the format IPv4 range: IPv6 range: |
|
CIDR notation (see RFC 4632) |
The CIDR notation is in the format IPv4 range: IPv6 range: |
|
Wildcard expressions |
Fields on the right end of an address may be replaced with an asterisk, with no numeric data to the right of the first asterisk. The wildcard represents the range of all values for the field, from all-zero bits to all-one bits. This format is more restrictive than the two-address range format in where the range starts and ends. IPv4 range: IPv6 range: |
|
Logical Operator |
Description |
|---|---|
|
= |
Equals Use this operator when the entire string is known, such as for an event Name or User name. |
|
!= |
Not equals Use this operator to exclude one or more known values, such as events involving a specific network domain or user. |
|
< |
Less than |
|
<= |
Less than or equal to |
|
>= |
Greater than or equal to |
|
> |
Greater than |
|
Between |
Between a range of comma-separated, comparable field types; for example, numeric types, date, date and time, IP address, or MAC address types. The minimum value for the range must appear first in the expression before the maximum. For example, to match a value of 20, use If your field type is IP address, the IP addresses must be of the same family: IPv4 or IPv6 addresses. |
|
BitAnd |
Equals, for bitmap fields |
|
Contains |
Contains the specified substring Use this operator to exclude a large set of events, such as all events whose name contains "virus." Use this operator with caution as it is relatively slow to evaluate and prone to matching more events than you intended. |
|
ContainsBits
|
Returns true or false. The ContainsBits operator applies to event fields that are bit vector data types, that is, fields that combine a set of independent Boolean flags. The right side value is a list of applicable named flags. The operator evaluates to True if the value of the selected flag is set for the event. For example, Event Annotation Flags ContainsBits “correlated;inCase” returns true if both of the annotation flags |
|
ContainsList |
Compares one list to another to see if the second list is a subset of the first. For example, (a, b, c) ContainsList (a, b). |
|
ContainsValue |
Returns true of false Use this operator where the left-hand-side operand is a list of some data type, and the right-hand side operand is a single value (field or literal) of the same data type. For example, a variable
This condition returns true or false depending on whether TargetAddress value is contained in IPList.
This condition returns true because the right-hand side value is contained in IPList.
This condition returns false because the right-hand side value is not contained in IPList. You can use |
|
EndsWith |
Ends with specified substring. Use this operator for domain names. For example, you might want to match events involving the .mil domain. |
|
EqualsList |
Compares one list to another (for example, active list, session list). If the two lists have the same entries, the statement evaluates to For example, (a, b, c) EqualsList (a, b, c). |
|
In |
Standard SQL operator for membership test You can use a comma-separated list for the right operand. For IP addresses, the left and right operands can be mixed-family addresses. |
|
InActiveList |
Event appears in the specified active list.
Note: The InActiveList operator only evaluates single-value attributes, and treats multi-value attributes, such as Actor Account ID and Role, as single-value attributes. |
|
InGroup |
Tests for membership in a specified category. |
|
InList |
Determines whether a given item is in a list and, if so, evaluates to |
|
InSubnet |
For IP addresses in the specified subnet Caution: The IP addresses must be in the same family, for example, pure IPv4 or pure IPv6 addresses only. IPv4-compatible and IPv4-mapped IPv6 addresses are processed as IPv4 addresses. See examples of IP address ranges here. |
|
Is |
Tests Use this operator to test whether or not a value has been supplied. You would use this in rules to tell the difference between a string that does not match versus a string that was not supplied. For example, you could use this to find all events that were missing their event names. |
|
IntersectsList |
Compares one list to another. If the two lists have one or more entry in common, the statement evaluates to
|
|
Like |
Standard SQL operator for simple pattern matching for string type: "_" wildcard for single character; "%" wildcard for multiple characters |
|
Matches |
For extended regular expression pattern-matching for string types using Perl 5 syntax Supports regular expressions (regex). Note that Matches is used in rules only. |
|
On |
Event occurs on this date |
|
StartsWith |
Starts with specified substring Use this operator for testing URIs such as event categories or resource locations (for example, Customer or Connector locations in their respective Navigator trees), or to test the root of a hostname (for example, if your web servers are named WebServer1, WebServer2, and so forth, you could use "hostname startsWith WebServer"). |