ESET Online Help

Search English
Select the topic

Rules and logical connectors

A rule consists of an item, logical connector (logical operator) and defined value.

When you click Add Rule a window opens with a list of items divided into categories. For example:

Installed software > Application name

Network adapters > MAC address

OS edition > OS name

You can browse the list of all available rules in this ESET Knowledgebase article.

To create a rule, select an item, choose a logical operator and specify a value. The rule will be evaluated according to the value you have specified and the logical operator used.

Acceptable value types include number(s), string(s), enum(s), IP address(es), product masks and computer IDs. Each value type has different logical operators associated with it and ESET PROTECT Web Console will automatically show only supported ones.

= (equal)

Symbol value and template value must match. Strings are compared without case sensitivity.

> (greater than)

Symbol value must be greater than template value. Can also be used to create a range comparison for IP address symbols.

≥ (greater or equal)

Symbol value must be greater than or equal to template value. Can also be used to create a range comparison for IP address symbols.

< (less than)

Symbol value must be less than template value. Can also be used to create a range comparison for IP address symbols.

≤ (less or equal)

Symbol value must be less than or equal to template value. Can also be used to create a range comparison for IP address symbols.

contains

Symbol value contains template value. In case of strings, this searches for a sub-string. Search is done without case sensitivity.

has prefix

Symbol value has the same text prefix as template value. Strings are compared without case sensitivity. Set the first characters from your search string, for example, for "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319", the prefix is "Micros" or "Micr" or "Microsof"etc.

has postfix

Symbol value has same text postfix as template value. Strings are compared without case sensitivity. Set the first characters from your search string, for example, for "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319", the postfix is "319" or "0.30319", etc.

has mask

Symbol value must match a mask defined in a template. Mask formatting allows any characters, the special symbols '*' - zero, one or many characters and '?' exactly one character, e.g.: "6.2.*" or "6.2.2033.?".

regex

Symbol value must match the regular expression (regex) from a template. Regex must be written in Perl format.


note

A regular expression, regex or regexp is a sequence of characters that define a search pattern. For example, gray|grey and gr(a|e)y are equivalent patterns which both match these two words: "gray", "grey".

is one of

Symbol value must match any value from a list in a template. To add an item, click Add. Each line in a new item in the list. Strings are compared without case sensitivity.

is one of (string mask)

Symbol value must match any mask from a list in a template. Strings are compared with case sensitivity. Examples: *endpoint-pc*, *Endpoint-PC*.

has value

 


note

The time rules enable selecting the Measure time elapsed check box to create a Dynamic Group template based on the time elapsed since a specific event.

Negated operators:


important

Negated operators must be used with care, because in the case of multiple line logs such as "Installed application", all lines are tested against these conditions. Please consult the included examples (Template rules evaluation and Dynamic Group template - examples) to see how negated operators or negated operations must be used to get expected results.

≠ (not equal)

Symbol value and template value must not match. Strings are compared without case sensitivity.

doesn't contain

Symbol value does not contain template value. Search is done without case sensitivity.

doesn't have prefix

Symbol value does not have the same text prefix as template value. Strings are compared without case sensitivity.

doesn't have postfix

Symbol value does not have text postfix as template value. Strings are compared without case sensitivity.

doesn't have mask

Symbol value must not match a mask defined in a template.

not regex

Symbol value must not match a regular expression (regex) from a template. Regex must be written in Perl format. Negation operation is provided as a helper to negate matching regular expressions without rewrites.

is not one of

Symbol value must not match any value from the list in a template. Strings are compared without case sensitivity.

is not one of (string mask)

Symbol value must not match any mask from a list in a template.

has no value