Advanced Condition Statements

The following sections describe the basics of condition statements.

The Asset Pool

Every Enforcement Set is based on a query triggered each time the Enforcement Set is run. The set of assets (devices, users or any other supported asset) that match the query parameters is the asset pool the Enforcement Set will run on for that run.

The asset pool can be different for each run of the same Enforcement Set since changes in asset status may occur between runs. Condition statements use the data from those assets.

Adapter Fields to Enforcement Action Form Fields - Source to Target

Adapter fields are the asset attributes that contain data about the asset. These are the "source" fields named in the condition statement. A condition statement will take these values, apply the condition and perform whatever function is defined.

The result will be placed in an Action form field, the "target" field. Action form fields includes all fields available in the Enforcement Action form, either to be written to a 3rd party product (such as a ticketing system or an email) or on the asset itself as tags or custom data fields.

The following describes the process:

Take values from Adapter Fields
-> apply conditions, functions, and operators
-> populate values to Enforcement Action Fields

Using the Correct Field Names

Field names as shown in the asset tables, asset details or Enforcement Action form are not the same as the field name in the Axonius database. These names are user-friendly names used in GUI. In the condition statement, you need to use their unique names as they exist in the Axonius database, the database field name. Use the Syntax Helper to find the database field name.

Asset Field Example

In the following asset example, there are four Adapter fields: Asset Name, Host Name, Last Seen and Network Interfaces: MAC.

In this asset example, the database field names may be similar to:

In condition statements, use the Database Field Name.

Asset field values could be fetched from a single specific adapter or be aggregated values from several adapters, called aggregated fields. The available fields can be found in the asset table as columns and in the asset profile page.

Action Form Field Example

In the following Action form example, there are three fields: Incident short description, Incident description and Message severity.

In this Action form example, the database field names may be similar to:

In condition statements, use the Database Field Name.

Use the Syntax Helper to find the database field name.

Field Types

All fields (both adapter fields and action fields) are configured with a data type. The most common field value types you’ll encounter are:

• string
• integer
• float
• epoch (date)
• boolean (true/false)

Addionally, all types can be configured as either a single value or as a list (array) with multiple values. When you create a custom field you can select both value type and whether that field contains single or multiple values.

For example, Hostname is a list field, meaning it can contain multiple text string values for every asset in that field. Preferred Hostname is a single value field since it can contain only one value per asset, as are all preferred fields.