| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
...
You can apply this operation either as a Filter or Create field operation:
Filter | Creates a filter that returns only those strings including a specific token, ignoring case. Optionally, you can add one or two boolean values to extend the left and right length of the token. |
|---|---|
Create field | Adds a new Boolean field that shows true when a specific token is present in a given string, ignoring case. Optionally, you can add one or two boolean values to extend the left and right length of the token. |
| Note |
|---|
Use the Contains tokens (toktains) operation if you need to discriminate between uppercase and lowercase letters. |
...
Select Filter / Create field in the search window toolbar, then select the Contains tokens - case insensitive operation. This operation requires at least two arguments (Value and contains). Optionally, you can add the right extended and left extended arguments to expand the length of the token.
Argument | Data type | More information |
|---|---|---|
Value mandatory | string | - |
contains mandatory | string | - |
left extended | boolean | Add this argument if you want to get strings that contain the indicated token with alphanumerical values to the left. For example, if you enter 10 as a token and set the left extended argument to true, you will get strings containing, for example, -10- or .10. but also abc10- or 12310- |
right extended | boolean | Add this argument if you want to get strings that contain the indicated token with alphanumerical values to the right. For example, if you enter 10 as a token and set the right extended argument to true, you will get strings containing, for example, -10- or .10. but also -10abc or -10123 |
If you use the Create field operation, the data type of the values in the new field is boolean (true or false).
...
In the siem.logtrust.web.activity table, we want to get only the events that include the token mozillalanguage in the userAgent headers field strings (value mozillalanguage delimited by ASCII symbols). We want to ignore the case, so tokens including capital letters will be also considered. To do it, we will apply a Filter using the Contains tokens operation.
...
The arguments needed for the filter are:
Value - userAgent headers field
contains - Click the pencil icon and enter mozilla language
...
Click Filter data and you will see the following result. As you can see, events containing the token mozilla language appear, but also Mozilla Language.
...
Click Create field and follow the same steps to add a new Boolean field that shows true when the conditions explained above are met.
...