Skip to content

Logical Operators Guide and Regex


The Regex

Regex:

  1. Once we have the message, we use the help of a regex to extracts useful information as we see below: Alt text

Parser:

  1. After creating the Regex we go to Interface-> Settings-> Rules-> DTS Objects-> New DTS Object and we create a new parsar based on the earlier regex: Alt text

View Event:

  1. And finally we created the pariser along with the Filter Rules and DA Rules steps you will find in UserGuide-> 4.2 Creating a new JS Parser and the useful information will be placed on the S1 S2 and S3 fields: Alt text

1 . Filters after keywords or expressions using the logical operators AND, OR, NOT:

Alt text

2 . Additional filters and combining method are available in the vertical tabs (Additional filters) and (Combining method):

Alt text

Logical comparators and their use

In the additional filter field both simple and complex filters can be added with the help of logical operators AND, OR and NOT, for example for a search that results from only certain users and a category (ex: Logoff) a complex filter can be created like this:

Logical AND (&&):

(UserName:" Administrator ") AND (Category:" Logoff ") Alt text as shown, on "UserName" appears "Administrator" and on "Category" appears "Logoff"

Also in the case that we're searching for a user event that doesn't include the "Log Off" category a complex filter can be created like this:

Logical NOT (!):

(UserName:" Administrator ") NOT (Category: " Logoff ") Alt text as shown, on "UserName" appears "Administrator" and on "Category" does not appear "Logoff"

Logical OR (||):

(UserName:"Administrator") OR (Category:"Logoff") Alt text as shown, on "UserName" appears "Administrator" and on "Category" appears "Logoff"

_exists_:

EventID:4624 AND _exists_:UserName Alt text as shown, appears EventID:4624 and UserName

_missing_:

EventID:4624 AND _missing_:DestIP Alt text as shown, appears EventID:4624 but not UserName

X TO Y:

EventID:[4000 TO 5000] Alt text as shown, appears starting with 4000, 4001 ... and ending with 5000