Inlist Operator

The inlist operator is used to perform a lookup on an existing dynamic list of string values, returning true if the value is present in the list. For more information about Dynamic Lists, refer to Correlation Tab in the Sentinel Control Center User's Guide.

For example, this filter expression is used to evaluate whether the Source IP of the current event is present on a dynamic list called MailServerList. If the Source IP is present in this list, the expression evaluates to TRUE.

filter(e.sip inlist MailServerList)

As another example, this filter expression combines the NOT and the INLIST operator. This expression evaluates to TRUE if the Source IP is not present in the dynamic list called MailServerList.

filter(not (e.sip inlist MailServerList))

This filter expression is used to evaluate whether the event name of the current event equals "File Access" and the Source User Name is also not present on a dynamic list called AuthorizedUsers. If both conditions are true for the current event, the expression evaluates to TRUE.

filter(e.evt="File Access" and not(e.sun inlist AuthorizedUsers))