Compare values with operators
This section covers the use of operators when creating filters in SEM.
Operators in a single condition
When creating operators in a single condition, use the following guidelines:
- When comparing two numeric values, the full range of mathematical operator options is available.
- An IP address is treated as a string (or text) value. Therefore, operators are limited to equal and not equal.
- DateTime fields have a default value of > Time Now, which means, greater than the current date and time.
The following table describes each operator and how it should be interpreted when used as a filter condition.
A list item (indicated with an * in the following table) can be another event variable, such as an event field. For example, to evaluate if an event's source is equal to a certain destination, compare two event fields, such as SourceMachine = DestinationMachine
.
Operator | Description |
---|---|
Exists |
Use these operators to specify if a particular event or Event Group exists. Read conditions with these operators as follows: This [event/Event Group] must [exist/not exist]. Not exist is only used in rules. |
Not exist |
|
is in |
Use these operators when comparing event fields with groups (such as Event Groups, User-Defined Groups, etc.). They determine the filter’s behavior, based on whether or the field is contained a specific Group. Read conditions with these operators as follows:
|
is not in |
|
Equals |
Read conditions with these operators as follows:
Text comparisons (for IP addresses, host names, etc.) are limited to equal or not equal operators. |
Does not equal |
|
Greater than |
Read conditions with these operators as follows:
|
Greater than OR equal to |
|
Less than |
|
Less than OR |
|
AND |
Conditions and groups of conditions are subject to AND and OR comparisons.
If you click an AND operator, it changes to an OR, and vice versa. |
OR |
AND and OR Operators linking multiple conditions in a filter
Filter groups and conditions, and rule groups and correlations, are all subject to AND and OR conditions. By default, new groups, conditions, and correlations appear with an AND condition. Both AND and OR conditions can surround nested groups, and they can be used between groups on the same level to create complex filter conditions or rule correlations.
Example | Description |
---|---|
If x AND y AND z occur, report the event. | If all the conditions apply, report the event. |
If x OR y OR z occurs, report the event. | If any of the conditions apply, report the event. |
If (x AND y) OR z occurs, report the event. |
If conditions x and y occur, or if condition z occurs, report the event. |
If (a AND b) OR (x AND y) OR (z), occurs, report the event. |
In this case, you would create three groups, two nested within the third:
|
Condition1 AND Condition2 AND Condition3 OR Condition4 AND Condition5. |
In this example, the filter reports the event when it meets the following conditions: Condition1 and Condition2 and Condition3, or Condition1 and Condition4 and Condition5. |