Search Filter Operators

Supported operators for Panther's Search tool

Supported operators

Operator
Usage guidelines
Supported field types
Examples

is / is not

Valid for a single value. Results include only events where the field matches/ does not match the value in the filter.

string, number

username is “root”

is empty / is not empty

Valid for an event where the field's value is not specified. The operator tests only for the absence of data.

string

errors_list is empty

is in list / is not in list

Valid for multiple values. Results include only events where the field matches/does not match an entry in the list of values in the filter.

string

username is in [ “root”, “admin” ]

has substring / does not have substring

Valid for a single value. Results include only events where the field contains/does not contain the value in the filter.

string

domain contains “.google.com”

like / is not like

Valid for a single value. Results include only events where the field matches the pattern specified in the filter. Wildcards are supported in the pattern. An underscore (_) matches any single character. A percent sign (%) or asterisk (*) matches any sequence of zero or more characters.

string

role like “admin_” role like "%admin%"

role like "admin*"

equals / does not equal

Valid for a single value. Results include only events where the field matches/does not match the value in the filter.

number

count = 100

is greater than

Valid for a single value. Results include only events where the field is greater than the value in the filter.

number

port > 1023

is less than

Valid for a single value. Results include only events where the field is less than the value in the filter.

number

port < 1024

is greater than or equal to

Valid for a single value. Results include only events where the field is greater than or equal to the value in the filter.

number

count ≥ 1

is less than or equal to

Valid for a single value. Results include only events where the field is less than or equal to the value in the filter.

number

count ≤ 100

has / does not have

Valid for events that contain a specific single value. Results include only events that contain/do not contain the value in the filter.

array

domain has "google.com" where domain is an array of values

has any / does not have any

Valid for events that contain any one of an array of values. Results include only events that contain/do not contain any of the values in the array.

array

domain has any "google.com", "yahoo.com" where domain is an array of values

is true / is false

Valid for a single boolean value. Results include events where the boolean field is true or false.

boolean

success is true

is after

Valid for a single time value. Results include events that occurred after the specified time value.

time

timestamp is after 01/19/2023 2:48 PM UTC

is before

Valid for a single time value. Results include events that occurred before the specified time value.

time

timestamp is before 01/19/2023 2:48 PM UTC

is null / is not null

Valid for an event where the field's value is null. The operator tests for a null value.

universal

errorCode is null

contains / does not contain

Valid for events that include objects that contain/do not contain fields with values that match the value in the filter. The provided key in the filter can be top level or can use dot notation to indicate a nested path.

object

actor contains username actor.attributes does not contain Admin where actor is a nested object

is within CIDR

Valid if a value is within a provided CIDR range

string

ip is within CIDR 10.2.3.0/24

Supported field types

Field types
Description

string

A string value

number

A 32-bit integer number or 64-bit floating point number

boolean

A boolean value true / false

array

A JSON array where each element is of the same type

time

A valid timestamp

object

A JSON object

Last updated