- 22 Aug 2024
- 7 Minutes to read
- Print
- DarkLight
- PDF
Creating Enforcement Action Dynamic Value Statements
- Updated on 22 Aug 2024
- 7 Minutes to read
- Print
- DarkLight
- PDF
Overview
Use Dynamic Value statements (also referred to as "statements") to add dynamic values to fields in Enforcement Actions using values from the assets themselves.
Two types of statements are available for use:
- "All" statements - These statements read over all the assets in the asset pool one by one and populate the values fetched from the asset itself into Action form fields.
- Switch/Case statements - These statements check an asset field (declared in the switch) for multiple criteria (each declared by a case) and use those values to populate the Action fields.
Dynamic Value statements support asset, Activity Logs, and Adapters Fetch History modules. They do not support Asset Investigation and Findings modules.
Some examples for the use of statements:
- You can create an Enforcement Set with its main action to create a ticket/incident. In the statement, you can determine how to fill the description or summary fields of the ticket/incident with information from the asset.
- You can create an Enforcement Set with its main action to Add Tag to Assets. In the statement, you can set criteria to assign different tag values to different assets.
- You can create an Enforcement Set with its main action to Add Custom Data to Assets. In the statement, you can create a calculated custom field based on values from several fields, create a custom field to assign a numerical rank to vulnerabilities, and much more.
The Configure Dynamic Values toggle appears in each Enforcement Action, which has additional parameters that you can configure. Any user with either Add Enforcement or Edit Enforcement permission, or both, can create statements.
- In the Syntax tab, drag the handle at the lower-right corner to resize the Define the statement text box (see screen below).
Creating the Statement
To create a statement
Configure the Enforcement Action. In the Select Action tab, select a Main Action to add to the Enforcement Set. The relevant Enforcement Action dialog is displayed, with a tab for Required Fields and one or more tabs for additional fields. Make sure to fill in all of the required fields with values. These values are used for each relevant field if the Dynamic Value statement gives an empty result as a result of the enforcement set run. For example, when you create an Enforcement Set with Main Action - Add Custom Data to Assets, fill in the Field name and Field value action fields.
Toggle on Configure Dynamic Values.
Keep the Ignore Empty Values on Asset Fields checkbox selected (the default), if you want the Enforcement Action to ignore empty values on list fields when running the statement. Otherwise, clear the checkbox to run the statement on empty list fields. In this case, it will use the values you entered in the required fields ('fallback values') when this occurs.
Determine the type of statement to use:
* "All" statements
* Switch/Case statementsConstruct a statement in the Define the statement text box including action form fields, adapter fields, functions, and operators, using either of the following methods:
- The Dynamic Value Statement Wizard
- The Syntax Helper with Autocomplete feature
- Click Validate. Axonius checks that the statement syntax is correct. It does not validate field types or values.
- If the syntax is correct, the message 'Statement was validated successfully' is displayed in green under the text box.
- If there is a syntax error, a detailed error message is displayed in red under the text box. Fix the error, and repeat this step.
- Click Validate. Axonius checks that the statement syntax is correct. It does not validate field types or values.
Use the Dynamic Value Statement Simulator to debug the statement component by component, until the results meet your requirements.
When the Enforcement Set is run, the statement is used.
Ignore Empty Values on Asset Fields
Ignore Empty Values On Asset Fields is enabled by default in both the Syntax and Wizard tabs. Use this option to make sure the statement ignores empty (null) values in asset list fields, and runs only on the values which are not empty. This prevents an empty value in a list field from causing a function to fail, and the Enforcement Action calculates the function instead of assigning the configured fallback values (the values you entered in the required fields in the Enforcement Action configuration). If you do not enable this option, the statement runs on all values in a list field, and fails if one of the values is empty. As a result, it assigns the configured fallback value for the complete statement.
For example: concat ([field1("aaa")], [field2(null)], [field3("ccc")]) results in ["aaa","ccc"] when this option is enabled, and fails when disabled.
:::(Info) (Note:)
This option is relevant for multi-value fields. An empty value on a single-value field causes the function to fail.
:::
- An Enforcement Set, configured with a Dynamic Value statement, runs only on query results filtered according to the data refinement configuration. This is the case for queries filtered with any data refinement option, except "Refine field values by adapter connection".
- Furthermore, the Dynamic Value statement automatically ignores field values filtered out of asset list fields as a result of data refinement, i.e., empty (null) list field values. For example, if the Axonius - Add Custom Data to Assets enforcement action runs on a query that has been refined to only include low CVE severities, and is configured with a Dynamic Value statement that counts CVE severities. In this case, the count function counts only the number of low CVE severities, and does not count the medium and high CVE severities, which have been replaced in the list field by empty (null) values following data refinement.
Example: A Device asset contains the Host Name list field [gcp-dbnginx1, Fallback, gcp-dbnginx2]. An Enforcement Set is configured to run an Enforcement Action on a query in which Host Name is filtered using Refine Data to remove Host Name 'Fallback'. The above Host Name is returned from the query filtered with data refinement as [gcp-dbnginx1, null, gcp-dbnginx2]. The Dynamic Value statement with the count function (see below) returns 2 (# of host names) and not 3, as it ignores null values.
device all then form.field_integer set_value count ([device.specific_data.data.hostname])
- If the asset returned from the query does not meet any of the criteria defined in the statement for the field, the values configured for the field in the Enforcement Action configuration are used as the default (fallback) values for the field.
Syntax Tips
- Static string values must be written within quotation marks " ". For example: "@gmail.com". They should not be pasted from other systems.
- Make sure that the quotation marks are straight and not curly, as curly ones are not supported.
- Functions and operators must be followed by (values) in parentheses.
- A field name following "switch" does not require square brackets.
Dynamic Value statements may "split" the Action into multiple Actions, one for each value configured in the statement.
For example, if 100 assets share the same value configured in the statement, those assets are combined into one run. On the other hand, if the 100 assets all have different values, the Enforcement Set is run 100 times.
More values with matches results in more time for the run to complete.
Examples
Example 1
This example shows how you can create a Dynamic Value statement for the Axonius - Send Email enforcement action, configured with the Adapters Fetch History query, with the help of the Dynamic Value Statement Wizard or Syntax Helper.
The following screen shows the Axonius - Send Email enforcement action configured with the Adapters Fetch History query.
The first screen below shows how you can use the Wizard to choose an asset field from Adapters Fetch History for the Dynamic Value statement in this Enforcement Action and the second screen shows how you can use the Syntax Helper.
Example 2
Enforcement Action used: Axonius - Add Tag to Assets
In the following Dynamic Value statement used to tag users, all users with their user country field (user.specific_data.data.user_country) having the value 'United States' are tagged with a 'US' tag. Users with no entry for their user country or a country other than 'United States' are tagged with the Tag default value configured in Tag names (in the Enforcement Action configuration dialog) - in this case, "fallback".
switch user.specific_data.data.user_country
case field_equal ("United States") then form.tag_name set_value "US"
It is advisable to give a meaningful default Tag name, such as Fallback, so that it isn't mistaken for a Tag name that is based on an asset field value.
For more information about Dynamic Value statements, see the following::
Dynamic Value Statement Concepts
Creating Enforcement Action Dynamic Value Statements
Enforcement Action Dynamic Value Statement Syntax Table
Useful Tips and Tricks for Working with Dynamic Value Statements
Using the Syntax Helper
Using the Dynamic Value Statement Wizard
Using the Dynamic Value Statement Simulator
"All" Statement Syntax
Switch/Case Statement Syntax
Using Functions, Operators, and Keywords
Dynamic Value Statement Examples and Use Cases
For more information about working with Enforcement Sets, see the following:
Enforcement Center Overview
Enforcement Sets Page
Creating Enforcement Sets
Managing Enforcement Sets
Using Predefined Enforcement Sets
Testing an Enforcement Set
Creating Enforcement Action Dynamic Value Statements
Scheduling Enforcement Set Runs
Viewing Enforcement Set Run History
Duplicating Enforcement Sets
Viewing Editing and Deleting Enforcement Sets
Terminating an Enforcement Set Run
Running Enforcement Sets