| Operator | Meaning | Example |
|---|---|---|
| == | Equals: Compares the field to the specified value. | plugin_device == ‘GuardDuty’ |
| ==* | Equals, case insensitive: Compares the field to the specified value, ignoring case considerations. | event_activity ==* ‘Executable download’ |
| >> | Assign or equal: For use with variables, it will assign a value if empty or if the variable is populated it will act like ==. | source_canonical >> [source] |
| >>* | Assign or equal, case insensitive: For use with variables, it will assign a value if empty or if the variable is populated it will act like ==*. | source_username >>* [username] |
| > | Greater than. | user_id > 500 |
| < | Less than. | user_id < 505 |
| in | List contains: Will return true if the list contains the value. This will perform a == comparison for every value in the list returning true on the first match. | event_subcategory in (‘Microsoft-Windows-MountMgr’, ‘MountMgr’) |
| in* | List contains, case insensitive: Will return true if the list contains the value. This will perform a ==* comparison for every value in the list returning true on the first match. | event_name in* (‘Update route in route table’,‘Update route table for VPC’) |
| ~ | Match: Takes a regular expression delimited by ’/’ as the argument. | hostname ~ /.*.eng/ |
| ~* | Match case insensitive: Takes a regular expression delimited by ’/’ as the argument. | (source_process_commandline ~* /[a-z0-9]{15,45}\.[a-z0-9]{1,15}\.[a-z0-9]{1,4}/ ) |
| ==> | Checks the value against a list filled with previous events values. Will validate the condition if the element is not already included in the list. | source_country ==> |countries| |
| || | Or: Can be used to chain two comparisons, return true if either comparison evaluates to true. | ((device_direction == ‘outbound’) || (event_activity == ‘C&C Response’ and device_direction == ‘inbound)) |
| && | And. Can be used to chain two comparisons, will return true if both comparisons evaluate to true. | rep_device_rule_id == ‘15457’ && source_username >>* [username] |
| ! | Not. Will negate the return value of the expression directly following it. | source_country != ” |
| or | Or: Alternative to ||. | (source_process_commandline contains* ’ aaaa’ OR source_process_commandline contains* ‘=aaaa’) |
| and | And: Alternative to &&. | event_subcategory == ‘Microsoft-Windows-Sysmon’ AND rep_device_rule_id == ‘1’ |
| !-> | Not in List: Checks that a value is not contained in a correlation list. | source_name !-> [[SAFE_NAMES]] |
| !->* | Not in List, case insensitive: Checks that a value is not contained in a correlation list, ignoring case considerations. | source_name !->* [[SAFE_NAMES]] |
Related Video Content
Related Video Content