Operators

From Edge Threat Management Wiki - Arista
Revision as of 16:08, 7 April 2017 by Dmorris (talk | contribs)
Jump to navigationJump to search

Operators are used with Conditions to create custom reports and alerts. The operator is used to evaluate the value criteria specified for the given condition.


Operator Description Syntax Notes Example
= Is Equal To Condition = value Requires an exact match it will not match partials. Only show Web Filter events where host accessed is "www.google.com"

Host [host] = www.google.com
!= or <> Is Not Equal To Condition != value
Condition <> value
Requires an exact match it will not match partials. Show all Web Filter events where client IP address is not "192.168.2.214"

Client [c_client_addr] != 192.168.2.214
> Is Greater Than Condition > value Requires an exact match it will not match partials. Show all activity in Firewall for non-standard ports (1024 - 65535)

Server Port [s_server_port] > 1024
< Is Less Than Condition < value Requires an exact match it will not match partials. Show all instances where available memory was less than 500 MB. Server Status Events, found under System > Reports, shows memory usage.

Memory Free [mem_free] < 524288000 (it is stored in the database as bytes)
>= Is Greater Than Or Equal To Condition >= value Requires an exact match it will not match partials. Show all sessions scanned by Shield where total bytes sent to destination IP is greater than 1 GB

To-Server Bytes [p2s_bytes] >= 1073741824 (it is stored in the database as bytes)
<= Is Less Than Or Equal To Condition <= value Requires an exact match it will not match partials. Show all instances where Free Disk Space was less than or equal to 100 GB. Server Status Events, found under System > Reports, shows free disk space.

Disk Free [disk_free] < 100000000000 (it is stored in the database as bytes)
LIKE Is Similar to Condition LIKE (%)value(%) Often used in conjunction with % to wildcard the value Show all Web Filter Events where a user accessed any part of google.com.

Host [host] like %google.com
NOT LIKE Is Not Similar to Condition NOT LIKE (%)value(%) Often used in conjunction with % to wildcard the value Show user Events where a user does not have "student" in the username.

Username [username] not like %student%
IS Is value Condition IS NULL

Condition IS true/false/unknown

Condition1 IS distinct from Condition2
Requires an exact match it will not match partials.

Does not work with string or number values
Show all Shield events where there was no username on the session.

Username [username] is NULL
IS NOT Is Not value Condition IS NOT NULL

Condition IS NOT true/false/unknown

Condition1 IS NOT distinct from Condition2
Requires an exact match it will not match partials.

Does not work with string or number values
Show all Application Control events that have Detail values.

Detail (Application Control) [application_control_detail] is not NULL
IN Is In set of values (value_1, value_2, ...) Condition IN (value_1, value_2, value_3) Requires an exact match it will not match partials. Show In Firewall all entries for web related ports

Server Port [s_server_port] in (53,80,443)

Web Category [web_filter_category] in ('Content Servers','Parked','Online Ads')
NOT IN Is Not In set of values (value_1, value_2, ...) Condition NOT IN (value_1, value_2, value_3) Requires an exact match it will not match partials. Show all traffic in Application Control that is not email related.

Server Port [s_server_port] not in (25,110,143,993.995.587,465)

Web Category [web_filter_category] not in ('Content Servers','Parked','Online Ads')