Filter Operation

Filter consists of a Boolean expression that evaluates the current event from the real-time event stream. It compares event attributes to user-specified values using a wide set of operators

The Boolean expression is a composite of comparison and match instructions.

The syntax for filter is:

Filter <Boolean expression 1> [NOT|AND|OR <Boolean expression 2] […] [NOT|AND|OR <Boolean expression n>]

Where

<Boolean expressions 1…n> are expressions using one or more event field names and filter operators

For example, this rule detects whether the current event has a severity of 4 and the resource event field contains either "FW" or "Comm."

filter(e.sev = 4 and (e.res match regex ("FW") or e.res match regex ("Comm")))

Filter expressions can be combined using the Boolean operators AND, OR and NOT. The filter boolean operator precedence (from highest [top] to lowest [bottom] precedence) is:

Operator

Meaning

Operator Type

Associativity

Not

logical not

unary

None

And

logical and

binary

left to right

Or

logical or

binary

left to right

In addition to Boolean operators, filter supports the following operators.

Standard arithmetic operators can be used to build a condition that compares the value of a Sentinel metatag and a user-specified value (either a numeric value or a string field). The standard arithmetic operators in Sentinel are =, <, >, !=, <=, and >=.

Examples:

filter(e.Severity > 3)

filter(e.BeginTime < 1179217665)

filter(e.SourceUserName != "Administrator")

The match regex operator can be used to build a condition where the value of a metatag matches a user-specified regular expression value specified in the rule. This operator is used only for string metatags, and the user-specified values for this operator are case-sensitive.

Examples:

filter(e.Collector match regex ("IBM"))

filter(e.EventName match regex ("Attack"))

The match subnet operator can be used to build a condition where the value of a metatag maches a user-specified subnet specified in the rule in CIDR notation. This operator is used only for IP address metatags.

Example:

filter(e.DestinationIP match subnet (208.130.28.0/22))

The inlist operator is used to perform a lookup on an existing dynamic list of string values, returning true if the value is present in the list. For more information on Dynamic Lists, see Correlation Tab in Sentinel 6.0 User Guide..

For example, this filter expression is used to evaluate whether the Source IP of the current event is present on a dynamic list called MailServerList. If the Source IP is present in this list, the expression evaluates to TRUE.

filter(e.sip inlist MailServerList)

As another example, this filter expression combines the NOT and the INLIST operator. This expression evaluates to TRUE if the Source IP is not present in the dynamic list called MailServerList.

filter(not (e.sip inlist MailServerList))

This filter expression is used to evaluate whether the event name of the current event equals "File Access" and the Source User Name is also not present on a dynamic list called AuthorizedUsers. If both conditions are true for the current event, the expression evaluates to TRUE.

filter(e.evt="File Access" and not(e.sun inlist AuthorizedUsers))

The isnull operator returns true if the metatag value is equal to NULL.

Example:

Filter(isnull(e.SIP))

e.SourceIP=e.DestinationIP