Condition Statement Examples and Use Cases

Tips for creating condition statements:

• A list of exact names of both adapter fields and action fields, as well as their field type, is available from the Syntax Helper.
• Data from assets can be manipulated using functions - multiple functions can be used when nested.
• Make sure to match source field type with target field type. For example, you can’t use an adapter array field as input for a single string action field type.
• When creating an Axonius custom field, the field name in the database is different depending on its type. For example, form.field_date.specific for type date and form.field_number for float. Use the Syntax Helper to select the correct field type.
• Our syntax (parser) is Lark based - click here to learn more.
• The following table lists some example condition statements and use cases.

Examples

Following are some examples of how condition statements (IFTTT) can be used.

Example 1

This example uses the ServiceNow - Create Incident Action in the Category Create Incident or Ticket.

Description
This user wants each response team to get only the incidents related to them. Incidents are tagged with the name of the relevant team, so they use tags as a condition. If an incident has the tag Team: X, it gets assigned to Team X. If it has the tag Team: Y, it gets assigned to Team Y. This allows them to streamline their process and save time as each team gets only the ticket related to them.

switch device.labels 
case contains ["Team: X"] form.assignment_group set_value <Team X ID>
case contains ["Team: Y"] form.assignment_group set_value <Team Y ID>

Example 2

This example could use any of the actions that create tickets in supported ticketing systems in the Category Create Incident or Ticket.

Description
The Axonuis Vulnerabilties module can detect known vulnerabilities on assets. Having a list of vulnerabilities in an incident ticket can speed the mitigation process. This user decided to write a condition statement that adds a concatenated list of critical vulnerabilities found on each device to the Incident Description field of the ticket.

device all then form.incident_description set_value
concat(join([device.adapters_data.rapid7_insightvm_adapter.critical_vulnerabilities])," critical vulnerabilities.")	

Example 3

This example uses the Axonius - Add Custom Data to Assets Action from the Axonius Utilities category.

Description
The worded description of the Rapid7 tag includes a vulnerability level. However, a number valued score makes it easier to quickly evaluate the vulnerability level of an asset. This user decided to create a custom field of type integer with a default value of 100. Then, if the Rapid7 tag includes the word "low" or "medium", the field will be assigned a numerical value of 2 or 3, respectively. Having a specific field separates the information from the rest of the description making it easier to find. They could then make quiker decisions on which vulnerabilities to work on first.

switch rapid7.criticality_tag case starts_with (“high”) then form.field_integer set_value 100 
case starts_with (“medium”) then form.field_integer set_value 60 
case starts_with (“low”) then form.field_integer set_value 30

Example 4

Enforcement Action used: Axonius - Add Custom Field

Number values can often have more meaning than other types of measurement. This user wanted to use a number value to indicate whether this asset possibly had one or more CVEs related to it. They wrote a conditional statement that creates a custom field of type integer that represents a number-value score based on the Boolean value of the exploit field.

switch adapters_data.nexpose_adapter.software_cves.is_exploit
case field_equal (true) then set_value 100
case field_equal (false) then set_value 10

Example 5

**Enforcement Action used:**Axonius - Add Custom Field

Creates a custom field of type float that represents a weighted score of five other custom fields.

device all form.field_number then set_value add 
(multiply ([custom.risk1], 0.2), multiply ([custom.risk2], 0.3), multiply ([custom.risk3], 0.05), multiply ([custom.risk4], 0.2), multiply ([custom.risk5], 0.25))

Example 6

Enforcement Action used: Axonius - Send Email

Sends an email to recipients based on the value of the host name. It will aggregate all identical hostnames to a single email. The number of email messages of will equal the number of unique hostname values. Because host name is a list of values (array), contains will be true only if all values in the list are an exact match.

switch device.specific_data.data.hostname 
case contains (“xdept”) then form.emailist set_value manager1@company.com” 
case contains (“ydept”) then form.emailist set_value manager2@company.com” 	

Example 7

Enforcement Action used: Axonius - Send Email

Sends an email to recipients based on the value of the asset name (name). It will aggregate all identical asset names into a single email. The number of email messages will equal the number of unique asset name values. Because asset name is a single value field, contains will be true even if a part of the asset name matches.

switch device.specific_data.data.name 
case contains (“xdept”) then form.emailist set_value manager1@company.com” 
case contains (“ydept”) then form.emailist set_value manager2@company.com” 

Example 8

Enforcement Action used: Axonius - Add Custom Field

Creates a custom field that contains, for each asset, the highest CVSS score recorded for that asset.

device all form.field_number then set_value max([device.specific_data.data.software_cves.cvss])

Example 9

Enforcement Action used: Any Action from the Create Incident or Ticket catagory

Creates a ticket and concatenates the host name (device_name) and the last_seen value for every asset in JSON format and creates a separate entry for that value in the Custom format for body field in the ticket.

device all then form.custom_format set_value concat 
("{","\"device_name\" : \"", [device.specific_data.data.hostname_preferred],"\",", "\"last_seen\" : \"", [device.specific_data.data.last_seen],"\"", "}")

Example 10

Enforcement Action used: Axonius - Add Custom Field

Creates a custom field of type date with a single last_seen value taken from CrowdStrike, or, if empty, from Cisco Meraki, or if empty from AWS. If all three are empty, the value will fallback to the static value provided in the Action form field.

device all then form.field_date.specific set_value 
[device.adapters_data.crowd_strike_adapter.last_seen] or 
[device.adapters_data.cisco_meraki_adapter.last_seen] or 
[device.adapters_data.aws_adapter.last_seen] 

Example 11

Enforcement Action used: Any

Determine through which node to deploy a file based on the prefix of the asset name (name).

switch device.specific_data.data.name 
case starts_with ("pro") then form.instance set_value "pro-axonctlr1" 
case starts_with ("dev") then form.instance set_value "dev-axonctlr1" case starts_with ("tes") then form.instance set_value "tes-axoncltr1"

Example 12

Enforcement Action used: Any

Create a different webhook message (which is a json field) for each hostname.

device all then form.custom_format set_value concat 
("{", "\"device_name\" : \"", [device.specific_data.data.hostname_preferred],"\",", "\"last_seen\" : \"", [device.specific_data.data.last_seen],"\"", "}")

Example 13

Enforcement Action used: Any

This statement will take "field_name" value for every asset and create a separate action form for that value, i.e. a different in value in the "form.custom_format" field. This can be applied on any of the action fields, not necessarily this one.
If the selected value is unique for every asset, an action form will be created for each asset.

device all then form.custom_format set_value [device.adapters_data.adapter_name.field_name]