Operators are used to transition between operations or expressions. The fundamental operators used between operations are:
Flow operator
Union operator
Intersection operator
Discriminator operator
The output set of events of the left-hand side operation is the input set of events for the right-hand side operation. Flow is typically used to transition from one correlation operation to the next.
For example:
filter(e.sev = 5) flow trigger(3, 60)
The output of the filter operation is the input of the trigger operation. The trigger only counts events with severity equal to 5.
The union of the left side operation output set and the right side operation output set. The resulting output set contains events from either the left-hand side operation output set or the right-hand side operation output set without duplicates.
For example:
filter(e.sev = 5) union filter(e.sip = 10.0.0.1)
is equivalent to
filter(e.sev = 5 or e.sip = 10.0.0.1)
The intersection of the left side operation output set and the right side operation output set. The resulting output set contains events that are common in both the left-hand side operation output set and the right-hand side operation output set without duplicates.
For example:
filter(e.sev = 5) intersection filter(e.sip = 10.0.0.1)
is equivalent to
filter(e.sev = 5 and e.sip = 10.0.0.1)
The discriminator operator allows users to group by event fields within other event operations. Discriminator can be used within the trigger, gate, or sequence operations. This is the last operation when executing a condition. The input for this operator will generally be the output of other operations, if any.
For example, this filter expression is used to identify five severity 5 events within 60s that all have the same Source IP. Note that the attribute (SIP in this example) can be any value, even a NULL, but it must be the same for all five events in order for the rule to fire.
filter(e.sev=5) flow trigger(5, 60s, discriminator(e.sip)