Operator Reference
Every filter inside a condition has three properties: field, operator, and value. This page documents every supported operator.
Full Operator Table
| Operator | Aliases | Value Type | Description |
|---|---|---|---|
equals | eq | string / number | Exact match (loose string coercion: "200" matches 200) |
not_equals | neq, ne | string / number | Not equal |
contains | — | string | Case-insensitive substring match. Ideal for metadata.raw_log searches |
not_contains | — | string | Field does not contain the substring |
starts_with | — | string | Case-insensitive prefix match |
ends_with | — | string | Case-insensitive suffix match |
gt | greater_than | number | Numeric greater-than |
lt | less_than | number | Numeric less-than |
gte | greater_than_or_equal | number | Numeric ≥ |
lte | less_than_or_equal | number | Numeric ≤ |
in | — | array | actualValue is one of the array items (string coercion) |
not_in | — | array | actualValue is not in the array |
exists | — | — | Field is non-null and non-undefined. No value required |
not_exists | — | — | Field is null or undefined |
regex | — | string | Case-insensitive regular expression match against the field value |
Operator Examples
equals
Match events where the service is exactly "ssh":
{ "field": "metadata.service", "operator": "equals", "value": "ssh" }
contains
Find raw log lines that mention invalid SSH users:
{ "field": "metadata.raw_log", "operator": "contains", "value": "invalid user" }
not_in
Flag data exports to any country not on your approved list:
{
"field": "metadata.destination_country",
"operator": "not_in",
"value": ["US", "GB", "DE", "CA", "AU"]
}
gt (greater than)
Alert when a single export exceeds 10,000 records:
{ "field": "metadata.record_count", "operator": "gt", "value": 10000 }
exists
Only match events where a VPN field has been populated:
{ "field": "metadata.network_intelligence.is_vpn", "operator": "exists" }
regex
Match user-agents that look like bots or scanners:
{
"field": "metadata.user_agent",
"operator": "regex",
"value": "(sqlmap|nikto|masscan|zgrab|nuclei|nmap)"
}
in
Fire only for high-risk country logins:
{
"field": "metadata.country_code",
"operator": "in",
"value": ["KP", "IR", "SY", "CU"]
}
Combining Operators with AND / OR
AND — all conditions must be true
{
"logical_operator": "AND",
"filters": [
{ "field": "metadata.network_intelligence.is_datacenter", "operator": "equals", "value": "true" },
{ "field": "metadata.service", "operator": "equals", "value": "ssh" }
]
}
OR — at least one condition must be true
{
"logical_operator": "OR",
"filters": [
{ "field": "metadata.network_intelligence.is_vpn", "operator": "equals", "value": "true" },
{ "field": "metadata.network_intelligence.is_tor", "operator": "equals", "value": "true" },
{ "field": "metadata.network_intelligence.is_proxy","operator": "equals", "value": "true" }
]
}
NOT — negates the first filter
{
"logical_operator": "NOT",
"filters": [
{ "field": "metadata.method", "operator": "equals", "value": "saml_sso" }
]
}
This matches any event where the auth method is not SAML SSO.
Common Pitfalls
| Mistake | Fix |
|---|---|
Boolean values as booleans: "value": true | Use string coercion: "value": "true" — the engine compares via String(actual) |
Using regex operator with catastrophic backtracking patterns | Test your regex externally first; invalid patterns are silently skipped |
Filtering on enriched fields (is_datacenter) before enrichment runs | These fields are set by LiteSOC during ingestion — always available by the time rules run |
not_in with an empty array | Always matches (nothing is in []). Add a guard or use exists |
Next: Example Rule Library →