Operators
From Edge Threat Management Wiki - Arista
Operators are used with Conditions to create custom reports and alerts. The operator is used to evaluate the value criteria specified for the given condition.
| Operator | Description | Syntax | Notes | Example |
|---|---|---|---|---|
| = | Is Equal To | Condition = value | Requires an exact match it will not match partials. | Only show Web Filter events where host accessed is "www.google.com" Host [host] = www.google.com |
| != or <> | Is Not Equal To | Condition != value Condition <> value |
Requires an exact match it will not match partials. | Show all Web Filter events where client IP address is not "192.168.2.214" Client [c_client_addr] != 192.168.2.214 |
| > | Is Greater Than | Condition > value | Requires an exact match it will not match partials. | Show all activity in Firewall for non-standard ports (1024 - 65535) Server Port [s_server_port] > 1024 |
| < | Is Less Than | Condition < value | Requires an exact match it will not match partials. | Show all instances where available memory was less than 500 MB. Server Status Events, found under System > Reports, shows memory usage. Memory Free [mem_free] < 524288000 (it is stored in the database as bytes) |
| >= | Is Greater Than Or Equal To | Condition >= value | Requires an exact match it will not match partials. | Show all sessions scanned by Shield where total bytes sent to destination IP is greater than 1 GB To-Server Bytes [p2s_bytes] >= 1073741824 (it is stored in the database as bytes) |
| <= | Is Less Than Or Equal To | Condition <= value | Requires an exact match it will not match partials. | Show all instances where Free Disk Space was less than or equal to 100 GB. Server Status Events, found under System > Reports, shows free disk space. Disk Free [disk_free] < 100000000000 (it is stored in the database as bytes) |
| LIKE | Is Similar to | Condition LIKE (%)value(%) | Often used in conjunction with % to wildcard the value | Show all Web Filter Events where a user accessed any part of google.com. Host [host] like %google.com |
| NOT LIKE | Is Not Similar to | Condition NOT LIKE (%)value(%) | Often used in conjunction with % to wildcard the value | Show Firewall events that do not have a destination address (server) in your ISP's subnet. Example 123.45.67.0/24 Server [s_server_addr] not like 123.45.67% |
| IS | Is value | Condition IS NULL Condition IS true/false/unknown Condition1 IS distinct from Condition2 |
Requires an exact match it will not match partials. Does not work with string or number values |
Show all Shield events where there was no username on the session. Username [username] is NULL |
| IS NOT | Is Not value | Condition IS NOT NULL Condition IS NOT true/false/unknown Condition1 IS NOT distinct from Condition2 |
Requires an exact match it will not match partials. Does not work with string or number values |
Show all Application Control events that have Detail values. Detail (Application Control) [application_control_detail] is not NULL |
| IN | Is In set of values (value_1, value_2, ...) | Condition IN (value_1, value_2, value_3) | Requires an exact match it will not match partials. | Show In Firewall all entries for web related ports Server Port [s_server_port] in (53,80,443) Web Category [web_filter_category] in ('Content Servers','Parked','Online Ads') |
| NOT IN | Is Not In set of values (value_1, value_2, ...) | Condition NOT IN (value_1, value_2, value_3) | Requires an exact match it will not match partials. | Show all traffic in Application Control that is not email related. Server Port [s_server_port] not in (25,110,143,993.995.587,465) Web Category [web_filter_category] not in ('Content Servers','Parked','Online Ads') |
