Document toolboxDocument toolbox

Is in (`in`, <-)

Description

You can apply this operation either as a Filter or Create field operation:

Filter

Checks for the presence of one or more values in a given string. The filter will identify those strings containing at least one of the indicated values.

You can also use this operation to filter IPv4 or IPv6 addresses that belong to a specific net, using CIDR notation.

Create field

Adds a new Boolean field that shows true only for those strings that contain at least one of the indicated values.

You can also use this operation to create a new field that shows true for IPv4 or IPv6 addresses that belong to a specific net, using CIDR notation.

This operation is case sensitive. Use the Is in - case insensitive (weakin) operation if you need to apply this filter ignoring case.

How does it work in the search window?

Select Filter / Create field in the search window toolbar, then select the Is in operation. This operation requires at least two arguments:

  • Value and is in if you select string values. Optionally, you can add as many or also arguments as you need.

  • IP and in net if you select an ip field and a net4 field, or enter it manually. Nets in the selected field or entered manually must follow the format x.x.x.x/s (CIDR).

Argument

Data type

Argument

Data type

Value / IP mandatory

string / ip / ip6

is in / in net mandatory

string / net4 / net6

or also

string

If you use the Create field operation, the data type of the values in the new field is boolean (true or false).

You can also use the Contains (has, ->) operation to check for the presence of values in a given string, the only difference is the order of the arguments. The Is in operation requires you to first indicate the value(s) to check and then the general string (value IS IN string), and the Contains operation works the other way around (string CONTAINS value).

Example

In the siem.logtrust.web.activity table, we want to get only the events that contain the word access, control, or both in the headers field. To do this, we will apply a Filter using the Is in operation.

The arguments needed for the filter are:

  • Value - Click the pencil icon and enter access

  • or also - Click the pencil icon and enter control

  • is in - headers field

Click Filter data and you will see the following result:

Click Create field and follow the same steps to add a new Boolean field that shows true when the strings in the uri field contain access, control, or both.

How does it work in LINQ?

Use the operator where...  to apply the Filter operation and select... as...  to apply the Create field operation. These are the valid formats of the Is in operation:

  • string_value <- string_general - Note that this format does not admit more than two arguments. Use the format below if you need to add several arguments:

  • `in`(string_value1, string_value2... string_general)

  • ip <- net4

  • `in`(ip, net4)

Example

You can copy the following LINQ scripts and try the above example on the demo.ecommerce.data table:

from demo.ecommerce.data where `in`("product", "screen", uri)

And this is the same example using the Create field operation:

from demo.ecommerce.data select `in`("product", "screen", uri) as product_screen_uri

You can also apply this operation using the <- operator. However, this syntax does not admit more than two arguments, so you can only add a value to be searched in the selected field. In the following examples, we want to detect events containing product in the uri field:

from demo.ecommerce.data where "product" <- uri

Additional LINQ examples

The following queries use the Is in operation to get the IP addresses in the clientIpAddress field that belong to the net 48.126.91.0/24  Both syntaxes are valid.