Search Filter Operators
Supported operators for Panther's Search tool
Last updated
Supported operators for Panther's Search tool
Last updated
| Field types | Description |
|---|---|
is / is not
Valid for a single value. Results include only events where the field matches/ does not match the value in the filter.
string, number
username is “root”
is empty / is not empty
Valid for an event where the field's value is not specified. The operator tests only for the absence of data.
string
errors_list is empty
is in list / is not in list
Valid for multiple values. Results include only events where the field matches/does not match an entry in the list of values in the filter.
string
username is in [ “root”, “admin” ]
has substring / does not have substring
Valid for a single value. Results include only events where the field contains/does not contain the value in the filter.
string
domain contains “.google.com”
like / is not like
Valid for a single value. Results include only events where the field matches the pattern specified in the filter. Wildcards are supported in the pattern.
string
role like “admin_” role like "%admin%"
role like "admin*"
An underscore (_) matches any single character.
A percent sign (%) or asterisk (*) matches any sequence of zero or more characters.
equals / does not equal
Valid for a single value. Results include only events where the field matches/does not match the value in the filter.
number
count = 100
is greater than
Valid for a single value. Results include only events where the field is greater than the value in the filter.
number
port > 1023
is less than
Valid for a single value. Results include only events where the field is less than the value in the filter.
number
port < 1024
is greater than or equal to
Valid for a single value. Results include only events where the field is greater than or equal to the value in the filter.
number
count ≥ 1
is less than or equal to
Valid for a single value. Results include only events where the field is less than or equal to the value in the filter.
number
count ≤ 100
has / does not have
Valid for events that contain a specific single value. Results include only events that contain/do not contain the value in the filter.
array
domain has "google.com" where domain is an array of values
has any / does not have any
Valid for events that contain any one of an array of values. Results include only events that contain/do not contain any of the values in the array.
array
domain has any "google.com", "yahoo.com" where domain is an array of values
is true / is false
Valid for a single boolean value. Results include events where the boolean field is true or false.
boolean
success is true
is after
Valid for a single time value. Results include events that occurred after the specified time value.
time
timestamp is after 01/19/2023 2:48 PM UTC
is before
Valid for a single time value. Results include events that occurred before the specified time value.
time
timestamp is before 01/19/2023 2:48 PM UTC
is null / is not null
Valid for an event where the field's value is null. The operator tests for a null value.
universal
errorCode is null
contains / does not contain
Valid for events that include objects that contain/do not contain fields with values that match the value in the filter. The provided key in the filter can be top level or can use dot notation to indicate a nested path.
object
actor contains username actor.attributes does not contain Admin where actor is a nested object
is within CIDR
Valid if a value is within a provided CIDR range
string
ip is within CIDR 10.2.3.0/24
string
A string value
number
A 32-bit integer number or 64-bit floating point number
boolean
A boolean value true / false
array
A JSON array where each element is of the same type
time
A valid timestamp
object
A JSON object