Documentation forSecurity Event Manager

Compare values with operators

This section covers the use of operators when creating filters in SEM.

Operators in a single condition

When creating operators in a single condition, use the following guidelines:

  • When comparing two numeric values, the full range of mathematical operator options is available.
  • An IP address is treated as a string (or text) value. Therefore, operators are limited to equal and not equal.
  • DateTime fields have a default value of > Time Now, which means, greater than the current date and time.

The following table describes each operator and how it should be interpreted when used as a filter condition.

A list item (indicated with an * in the following table) can be another event variable, such as an event field. For example, to evaluate if an event's source is equal to a certain destination, compare two event fields, such as SourceMachine = DestinationMachine.

Operator Description

Exists

Use these operators to specify if a particular event or Event Group exists. Read conditions with these operators as follows: This [event/Event Group] must [exist/not exist].

Not exist is only used in rules.

Not exist

is in

Use these operators when comparing event fields with groups (such as Event Groups, User-Defined Groups, etc.). They determine the filter’s behavior, based on whether or the field is contained a specific Group.

Read conditions with these operators as follows:

  • This [event field] must be in this [Group].
  • This [event field] must not be in this [Group].

is not in

Equals

Read conditions with these operators as follows:

  • This [event variable] must equal this [list item*].
  • This [event variable] must not equal this [list item*].

Text comparisons (for IP addresses, host names, etc.) are limited to equal or not equal operators.

Does not equal

Greater than

Read conditions with these operators as follows:

  • This [event variable] must be greater than this [list item*].
  • This [event variable] must be greater than or equal to this [list item*].
  • This [event variable] must be less than this [list item*].
  • This [event variable] must be less than or equal to this [list item*].

Greater than OR equal to

Less than

Less than OR
equal to

AND

Conditions and groups of conditions are subject to AND and OR comparisons.

  • The AND symbol means two or more conditions (or groups) must occur together for the filter to apply. This is the default comparison for new groups.
  • The OR symbol means any one of several conditions (or groups) may occur for the filter to apply. When comparing groups of distinct events, you must use the OR symbol.

If you click an AND operator, it changes to an OR, and vice versa.

OR

AND and OR Operators linking multiple conditions in a filter

Filter groups and conditions, and rule groups and correlations, are all subject to AND and OR conditions. By default, new groups, conditions, and correlations appear with an AND condition. Both AND and OR conditions can surround nested groups, and they can be used between groups on the same level to create complex filter conditions or rule correlations.

Example Description
If x AND y AND z occur, report the event. If all the conditions apply, report the event.
If x OR y OR z occurs, report the event. If any of the conditions apply, report the event.
If (x AND y) OR z occurs, report the event.

If conditions x and y occur, or if condition z occurs, report the event.
If (a AND b) OR (x AND y) OR (z), occurs, report the event.

In this case, you would create three groups, two nested within the third:

  • The nested groups are configured as (a AND b) and
    (x AND y), joined with an OR.
  • The outer group is configured as (z), surrounding the nested groups with an OR.
Condition1 AND

Condition2 AND Condition3 OR

Condition4 AND Condition5.		 In this example, the filter reports the event when it meets the following conditions:
Condition1 and Condition2 and Condition3, or
Condition1 and Condition4 and Condition5.