ESET Online Help

Search English
Select the category
Select the topic

Rules and logical connectors

A rule consists of an item, logical connector (logical operator) and defined value.

When you click Add Rule a window opens with a list of items divided into categories. For example:

Installed software > Application name

Network adapters > MAC address

OS edition > OS name

You can browse the list of all available rules in this ESET Knowledgebase article.

To create a rule, select an item, choose a logical operator and specify a value. The rule will be evaluated according to the value you have specified and the logical operator used.

Acceptable value types include number(s), string(s), enum(s), IP address(es), product masks and computer IDs. Each value type has different logical operators associated with it and ESET PROTECT Web Console will automatically show only supported ones.

icon_equals equals

Symbol value and template value must match. Strings are compared without case sensitivity.

icon_greater_than greater than

Symbol value must be greater than template value. Can also be used to create a range comparison for IP address symbols.

icon_greater_than_or_equal greater or equal

Symbol value must be greater than or equal to template value. Can also be used to create a range comparison for IP address symbols.

icon_less_than less than

Symbol value must be less than template value. Can also be used to create a range comparison for IP address symbols.

icon_less_than_or_equal less or equal

Symbol value must be less than or equal to template value. Can also be used to create a range comparison for IP address symbols.

icon_contains contains

Symbol value contains template value. In case of strings, this searches for a sub-string. Search is done without case sensitivity.

icon_starts_with starts with

Symbol value has the same text prefix as template value. Strings are compared without case sensitivity. Set the first characters from your search string, for example, for "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319", the prefix is "Micros" or "Micr" or "Microsof"etc.

icon_ends_with ends with

Symbol value has same text postfix as template value. Strings are compared without case sensitivity. Set the first characters from your search string, for example, for "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319", the postfix is "319" or "0.30319", etc.

icon_has_mask has mask

Symbol value must match a mask defined in a template. Mask formatting allows any characters, the special symbols '*' - zero, one or many characters and '?' exactly one character, e.g.: "6.2.*" or "6.2.2033.?".

icon_eset regex

Symbol value must match the regular expression (regex) from a template. Regex must be written in Perl format.

note

A regular expression, regex or regexp is a sequence of characters that define a search pattern. For example, gray|grey and gr(a|e)y are equivalent patterns which both match these two words: "gray", "grey".

icon_is_one_of is one of

Symbol value must match any value from a list in a template. To add an item, click Add. Each line in a new item in the list. Strings are compared without case sensitivity.

icon_is_one_of_string_mask is one of (string mask)

Symbol value must match any mask from a list in a template. Strings are compared with case sensitivity. Examples: *endpoint-pc*, *Endpoint-PC*.

icon_has_value has value

 

note

The time rules enable selecting the Measure time elapsed check box to create a Dynamic Group template based on the time elapsed since a specific event.

Negated operators:

important

Negated operators must be used with care, because in the case of multiple line logs such as "Installed application", all lines are tested against these conditions. Please consult the included examples (Template rules evaluation and Dynamic Group template - examples) to see how negated operators or negated operations must be used to get expected results.

icon_does_not_equal doesn't equal

Symbol value and template value must not match. Strings are compared without case sensitivity.

icon_contains doesn't contain

Symbol value does not contain template value. Search is done without case sensitivity.

icon_starts_with doesn't start with

Symbol value does not have the same text prefix as template value. Strings are compared without case sensitivity.

icon_ends_with doesn't end with

Symbol value does not have text postfix as template value. Strings are compared without case sensitivity.

icon_has_mask doesn't have mask

Symbol value must not match a mask defined in a template.

icon_eset not regex

Symbol value must not match a regular expression (regex) from a template. Regex must be written in Perl format. Negation operation is provided as a helper to negate matching regular expressions without rewrites.

icon_is_not_one_of is not one of

Symbol value must not match any value from the list in a template. Strings are compared without case sensitivity.

icon_is_one_of_string_mask is not one of (string mask)

Symbol value must not match any mask from a list in a template.

icon_has_no_value has no value