Skip to content

Logical Operators Guide and Regex

The Regex

  • Regex

  • Once we have the message, we use the help of a regex to extract useful information as we see below:

Alt text

  • Parser

  • After creating the Regex we go to Interface-> Settings-> Rules-> DTS Objects-> New DTS Object and we create a new parser based on the earlier regex:

Alt text

  • View Event

  • And finally we created the parser along with the Filter Rules and DA Rules steps you will find in UserGuide-> 4.2 Creating a new JS Parser and the useful information will be placed on the S1 S2 and S3 fields:

Alt text

Filters after keywords or expressions using the logical operators AND, OR, NOT:

Alt text

Additional filters and combining method are available in the vertical tabs (Additional filters) and (Combining method):

Alt text

Logical comparators and their use

In the additional filter field both simple and complex filters can be added with the help of logical operators AND, OR and NOT, for example for a search that results from only certain users and a category (ex: Logoff) a complex filter can be created like this:

  • Logical AND (&&)

(UserName:" Administrator ") AND (Category:" Logoff ")

Alt text

as shown, on "UserName" appears "Administrator" and on "Category" appears "Logoff"

Also in the case that we're searching for a user event that doesn't include the "Log Off" category a complex filter can be created like this:

  • Logical NOT (!)

(UserName:" Administrator ") NOT (Category: " Logoff ")

Alt text

as shown, on "UserName" appears "Administrator" and on "Category" does not appear "Logoff"

  • Logical OR (||)

(UserName:"Administrator") OR (Category:"Logoff")

Alt text

as shown, on "UserName" appears "Administrator" and on "Category" appears "Logoff"

  • _exists_

EventID:4624 AND _exists_:UserName

Alt text

as shown, appears EventID:4624 and UserName

  • _missing_

EventID:4624 AND _missing_:DestIP

Alt text

as shown, appears EventID:4624 but not UserName

  • X TO Y

EventID:[4000 TO 5000]

Alt text

as shown, appears starting with 4000, 4001 ... and ending with 5000