"All" Statement Syntax

For each asset matching the query of the Enforcement Set, the All Dynamic Value statement (also referred to as 'statement') takes the value from the Adapter field and uses the set_value function to assign a resulting value to the Action field.

The basic syntax of All statements for various asset types is presented in the following table, followed by a description of the statement elements.

• device, user, vulnerability, software - Examples of asset types on which to apply the statement. The asset type must match the query used in the Enforcement Set.
• all - Applies the statement on all assets of the specified asset type (for example: on all devices, users, vulnerabilities, or software) that match the query.
• then - On all assets that match the query, then applies the value from the Adapter field (source) to the Action form field (destination).
• form.fieldname - The destination field in the Action form. Use Autocomplete, Syntax Helper, or the Dynamic Value Statement Wizard to get the correct field name.
• set_value - Sets the value of form.fieldname to match that of the source field of the Adapter. Functions can be used to determine this value.
• [<asset-type>.adapters_data.adapter_name.field_name] - The source field in the Adapter; must be enclosed in square brackets. The prefix <asset-type> indicates the type of asset query - for example: device, user, vulnerability, or software. Use Syntax Helper or the Dynamic Value Statement Wizard to get the correct field name.

All Statement Examples

These additional functions and operators are used in the following examples:

• or - Used to define multiple options if one of the source fields is empty. The defined options are applied in the order that they are written. The first field with a value is used and the rest ignored. If none of the fields have a value, the default value in the form itself is used.
• concat - Concatenates the specified values. concat supports an unlimited number of string arguments (values and/or fields). The concat operator must be followed by a space and then the parameters within ( ). Field inputs and static strings can be used in any order.
• sum - Adds the values in the indicated field.

You can construct more complex statements using the many functions and operators available. After entering set-value in the statement, the Autocomplete feature shows the available functions and operators that you can choose from. See Enforcement Action Statement Syntax Table for a complete list of available statement elements, and their syntax and usage rules.

The following examples illustrate some ways that All asset statements can be used.

• Example - For all devices that match the query, configure an Enforcement Action - Add Tag to Device Assets, with a statement that sets form.tag_name to the last seen date from the BigID adapter (device.adapters_data.bigid_adapter.last_seen). Otherwise, if the BigID last seen field is empty, sets form.tag_name to the last seen date from the AWS adapter (device.adapters_data.aws_adapter.last_seen).

  device all then form.tag_name set_value [device.adapters_data.bigid_adapter.last_seen] or [device.adapters_data.aws_adapter.last_seen]   
  

A Tag field in the configured color is added to the devices that match the query. This field displays the last seen date and time, if it has been fetched from the BigID or AWS adapters.

• Example - For all devices that match the query, configure an Enforcement Action - Send Email, with a statement that sets form.emailList to device.specific_data.data.hostname_preferred (the Aggregated Adapter preferred hostname) + "@gmail.com".

  device all then form.emailList set_value concat ([device.specific_data.data.hostname_preferred], "@gmail.com")
  

Once the Enforcement Set completes, you can see the outcome of the run.

Clicking the Successful Affected Assets shows under EC: Result Details that an email has been sent for this device.

• Example - For all software that match the query, configure an Enforcement Action - Add Custom Data to Software Assets, with a statement that sets form.custom_data_value to the value in software.adapters_data.azure_adapter.last_seen (the last_seen field from the Azure adapter), if not empty. Otherwise, if empty, sets it to software.adapters_data.cisco_meraki_adapter.last_seen (the last_seen field from the Cisco adapter).

  software all then form.custom_data_value set_value [software.adapters_data.azure_adapter.last_seen] or [software.adapters_data.cisco_meraki_adapter.last_seen]
  

• Example - For all vulnerabilities that match the query, set form.field_name to the sum of the values in vulnerability.adapters_data.tenable_security_center_adapter.cvss_vector (the Tenable.sc (SecurityCenter) CVSS Vector field cvss_vector).

   vulnerability all then form.field_name set_value sum ([vulnerability.adapters_data.tenable_security_center_adapter.cvss_vector])
  

• Example - For all devices that match the query, configure an Enforcement Action - Add Tag to Device Assets, with a statement that sets the value of form.tag_name to a concatenation of "name" + device.specific_data.data.hostname (the Aggregated Adapter hostname) + "os_type" + device.specific_data.data.os.type (the Aggregated Adapter OS type), using the concat operator.

  device all then form.tag_name set_value concat("name", [device.specific_data.data.hostname], "os_type", [device.specific_data.data.os.type])