Operators: Difference between revisions
From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary |
No edit summary |
||
Line 56: | Line 56: | ||
| style="text-align:left; vertical-align:top;" | Condition NOT LIKE (%)value(%) | | style="text-align:left; vertical-align:top;" | Condition NOT LIKE (%)value(%) | ||
| style="text-align:left; vertical-align:top;" | Often used in conjunction with % to wildcard the value | | style="text-align:left; vertical-align:top;" | Often used in conjunction with % to wildcard the value | ||
| style="text-align:left; vertical-align:top;" | ''Show | | style="text-align:left; vertical-align:top;" | ''Show user Events where a user does not have "student" in the username.'' <br><br> Username [username] not like %student% | ||
|- | |- | ||
| style="text-align:left; vertical-align:top;" | IS | | style="text-align:left; vertical-align:top;" | IS |
Revision as of 16:08, 7 April 2017
Operators are used with Conditions to create custom reports and alerts. The operator is used to evaluate the value criteria specified for the given condition.
Operator | Description | Syntax | Notes | Example |
---|---|---|---|---|
= | Is Equal To | Condition = value | Requires an exact match it will not match partials. | Only show Web Filter events where host accessed is "www.google.com" Host [host] = www.google.com |
!= or <> | Is Not Equal To | Condition != value Condition <> value |
Requires an exact match it will not match partials. | Show all Web Filter events where client IP address is not "192.168.2.214" Client [c_client_addr] != 192.168.2.214 |
> | Is Greater Than | Condition > value | Requires an exact match it will not match partials. | Show all activity in Firewall for non-standard ports (1024 - 65535) Server Port [s_server_port] > 1024 |
< | Is Less Than | Condition < value | Requires an exact match it will not match partials. | Show all instances where available memory was less than 500 MB. Server Status Events, found under System > Reports, shows memory usage. Memory Free [mem_free] < 524288000 (it is stored in the database as bytes) |
>= | Is Greater Than Or Equal To | Condition >= value | Requires an exact match it will not match partials. | Show all sessions scanned by Shield where total bytes sent to destination IP is greater than 1 GB To-Server Bytes [p2s_bytes] >= 1073741824 (it is stored in the database as bytes) |
<= | Is Less Than Or Equal To | Condition <= value | Requires an exact match it will not match partials. | Show all instances where Free Disk Space was less than or equal to 100 GB. Server Status Events, found under System > Reports, shows free disk space. Disk Free [disk_free] < 100000000000 (it is stored in the database as bytes) |
LIKE | Is Similar to | Condition LIKE (%)value(%) | Often used in conjunction with % to wildcard the value | Show all Web Filter Events where a user accessed any part of google.com. Host [host] like %google.com |
NOT LIKE | Is Not Similar to | Condition NOT LIKE (%)value(%) | Often used in conjunction with % to wildcard the value | Show user Events where a user does not have "student" in the username. Username [username] not like %student% |
IS | Is value | Condition IS NULL Condition IS true/false/unknown Condition1 IS distinct from Condition2 |
Requires an exact match it will not match partials. Does not work with string or number values |
Show all Shield events where there was no username on the session. Username [username] is NULL |
IS NOT | Is Not value | Condition IS NOT NULL Condition IS NOT true/false/unknown Condition1 IS NOT distinct from Condition2 |
Requires an exact match it will not match partials. Does not work with string or number values |
Show all Application Control events that have Detail values. Detail (Application Control) [application_control_detail] is not NULL |
IN | Is In set of values (value_1, value_2, ...) | Condition IN (value_1, value_2, value_3) | Requires an exact match it will not match partials. | Show In Firewall all entries for web related ports Server Port [s_server_port] in (53,80,443) Web Category [web_filter_category] in ('Content Servers','Parked','Online Ads') |
NOT IN | Is Not In set of values (value_1, value_2, ...) | Condition NOT IN (value_1, value_2, value_3) | Requires an exact match it will not match partials. | Show all traffic in Application Control that is not email related. Server Port [s_server_port] not in (25,110,143,993.995.587,465) Web Category [web_filter_category] not in ('Content Servers','Parked','Online Ads') |