Multi-key semantics

QRadar supports multi-value custom properties, which allow a single event or flow property to store a list of values instead of a single value..

Multi-key semantics refers to how QRadar evaluates filter conditions when a property contains multiple values. This concept determines the logical behavior of queries and filters.

The following two evaluation modes are available:

ANY semantics (default)
The condition matches if at least one value in the list satisfies the criteria. Uses OR logic across the multiple values.
ALL semantics
The condition matches only if every value in the list satisfies the criteria. Uses AND logic across the multiple values.

When filters are displayed in the user interface, the semantics are indicated by text such as (Any) or (All) appended to the filter condition. This text helps you understand how your multi-value filters are evaluated.

In AQL, the semantics are explicitly specified by using the ANY or ALL keywords. If neither keyword is specified, ANY is the default.