- 04 Aug 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
"All" Statement Syntax
- Updated on 04 Aug 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
For each asset matching the query of the Enforcement Set, the All Dynamic Value statement (also referred to as 'statement') takes the value from the Adapter field and uses the set_value function to assign a resulting value to the Action field.
The basic syntax of All statements for various asset types is presented in the following table, followed by a description of the statement elements.
Asset Type | Basic Syntax |
---|---|
Device | device all then form.fieldname set_value [device.adapters_data.adapter_name.field_name] |
User | user all then form.fieldname set_value [user.adapters_data.adapter_name.field_name] |
Vulnerability | vulnerability all then form.fieldname set_value [vulnerability.adapters_data.adapter_name.field_name] |
Software | software all then form.fieldname set_value [software.adapters_data.adapter_name.field_name] |
- device, user, vulnerability, software - Examples of asset types on which to apply the statement. The asset type must match the query used in the Enforcement Set.
- all - Applies the statement on all assets of the specified asset type (for example: on all devices, users, vulnerabilities, or software) that match the query.
- then - On all assets that match the query, then applies the value from the Adapter field (source) to the Action form field (destination).
- form.fieldname - The destination field in the Action form. Use Autocomplete, Syntax Helper, or the Dynamic Value Statement Wizard to get the correct field name.
- set_value - Sets the value of form.fieldname to match that of the source field of the Adapter. Functions can be used to determine this value.
- [<asset-type>.adapters_data.adapter_name.field_name] - The source field in the Adapter; must be enclosed in square brackets. The prefix <asset-type> indicates the type of asset query - for example: device, user, vulnerability, or software. Use Syntax Helper or the Dynamic Value Statement Wizard to get the correct field name.
All Statement Examples
These additional functions and operators are used in the following examples:
- or - Used to define multiple options if one of the source fields is empty. The defined options are applied in the order that they are written. The first field with a value is used and the rest ignored. If none of the fields have a value, the default value in the form itself is used.
- concat - Concatenates the specified values. concat supports an unlimited number of string arguments (values and/or fields). The concat operator must be followed by a space and then the parameters within ( ). Field inputs and static strings can be used in any order.
- sum - Adds the values in the indicated field.
You can construct more complex statements using the many functions and operators available. After entering set-value in the statement, the Autocomplete feature shows the available functions and operators that you can choose from. See Enforcement Action Statement Syntax Table for a complete list of available statement elements, and their syntax and usage rules.
You can use the Wizard to construct a simple set-value statement or an alternative of statements using or.
When using operators, such as concat and join, it is important to choose the relevant field types - list or single value; Aggregated fields (hold lists of values) or Preferred fields (hold single values). To learn more, see Preferred and Aggregated Fields in the Syntax Helper.
The following examples illustrate some ways that All asset statements can be used.
- Example - For all devices that match the query, configure an Enforcement Action - Add Tag to Device Assets, with a statement that sets form.tag_name to the last seen date from the BigID adapter (device.adapters_data.bigid_adapter.last_seen). Otherwise, if the BigID last seen field is empty, sets form.tag_name to the last seen date from the AWS adapter (device.adapters_data.aws_adapter.last_seen).
device all then form.tag_name set_value [device.adapters_data.bigid_adapter.last_seen] or [device.adapters_data.aws_adapter.last_seen]
A Tag field in the configured color is added to the devices that match the query. This field displays the last seen date and time, if it has been fetched from the BigID or AWS adapters.
- Example - For all devices that match the query, configure an Enforcement Action - Send Email, with a statement that sets form.emailList to device.specific_data.data.hostname_preferred (the Aggregated Adapter preferred hostname) + "@gmail.com".
device all then form.emailList set_value concat ([device.specific_data.data.hostname_preferred], "@gmail.com")
Once the Enforcement Set completes, you can see the outcome of the run.
Clicking the Successful Affected Assets shows under EC: Result Details that an email has been sent for this device.
Example - For all software that match the query, configure an Enforcement Action - Add Custom Data to Software Assets, with a statement that sets form.custom_data_value to the value in software.adapters_data.azure_adapter.last_seen (the last_seen field from the Azure adapter), if not empty. Otherwise, if empty, sets it to software.adapters_data.cisco_meraki_adapter.last_seen (the last_seen field from the Cisco adapter).
software all then form.custom_data_value set_value [software.adapters_data.azure_adapter.last_seen] or [software.adapters_data.cisco_meraki_adapter.last_seen]
Example - For all vulnerabilities that match the query, set form.field_name to the sum of the values in vulnerability.adapters_data.tenable_security_center_adapter.cvss_vector (the Tenable.sc (SecurityCenter) CVSS Vector field cvss_vector).
vulnerability all then form.field_name set_value sum ([vulnerability.adapters_data.tenable_security_center_adapter.cvss_vector])
Example - For all devices that match the query, configure an Enforcement Action - Add Tag to Device Assets, with a statement that sets the value of form.tag_name to a concatenation of "name" + device.specific_data.data.hostname (the Aggregated Adapter hostname) + "os_type" + device.specific_data.data.os.type (the Aggregated Adapter OS type), using the concat operator.
device all then form.tag_name set_value concat("name", [device.specific_data.data.hostname], "os_type", [device.specific_data.data.os.type])
For more information about Dynamic Value statements, see the following::
Dynamic Value Statement Concepts
Creating Enforcement Action Dynamic Value Statements
Enforcement Action Dynamic Value Statement Syntax Table
Useful Tips and Tricks for Working with Dynamic Value Statements
Using the Syntax Helper
Using the Dynamic Value Statement Wizard
Using the Dynamic Value Statement Simulator
"All" Statement Syntax
Switch/Case Statement Syntax
Using Functions, Operators, and Keywords
Dynamic Value Statement Examples and Use Cases
For more information about working with Enforcement Sets, see the following:
Enforcement Center Overview
Enforcement Sets Page
Creating Enforcement Sets
Managing Enforcement Sets
Using Predefined Enforcement Sets
Testing an Enforcement Set
Creating Enforcement Action Dynamic Value Statements
Scheduling Enforcement Set Runs
Viewing Enforcement Set Run History
Duplicating Enforcement Sets
Viewing Editing and Deleting Enforcement Sets
Terminating an Enforcement Set Run
Running Enforcement Sets