Is there any docs on the filter format for evebox?

I figured it out at least partly.

field: “value” which allows me to narrow down to each sensor… host: “dmzo”

can we do negation? and 'and’s and 'or’s.

I haven’t found a full end-user type of documentation, but its passed into Elastic’s query_string parameter which is documented here: Query string query | Elasticsearch Reference [7.11] | Elastic

The default_operator is set to AND. And stuff like a time range, if in an event view if passed in via a filter.

Of course, if you alter the template to analyze some fields differently you get different results. A good example of this is data indexed by Filebeat will not do substring matches, but you can do substring matches if the data is indexed by Logstash.

Hope that helps.