Creating Enforcement Sets

The Enforcement Center allows you to actively control your asset environment. Use it to build and apply policies and create triage and remediation actions. Enforcements may be automated or run manually. The following procedure describes how to create a new Enforcement Set using the Create Enforcement Set button.

To create an Enforcement Set

1. In the Enforcement Sets page, click Create Enforcement Set. The Create Enforcement Set drawer opens with the Select Assets tab open. The Enforcement Set configuration is divided into four tabs: Select Assets, Select Action, Select Schedule, and Enforcement Set Name.

1. Select the assets that the Enforcement Set should run on.
2. Select the Enforcement Set action. The selected Action is added to the Enforcement Set as the Main Action.
3. Optionally, schedule the Enforcement Set runs.
4. Name the Enforcement Set.
5. Optionally configure Success Actions, Failure Actions, or Post Actions by clicking Advanced Options. This is clickable only after selecting the main action. See Configuring Success, Failure and Post Enforcement Actions below.
6. Do one of the following:
   • Save the Enforcement Set once an Enforcement Action is selected, even if not all required fields are filled in, by clicking Save. The Drafts folder on the Enforcement Set page is displayed.
   • Test the outcome of the Enforcement Set on one asset, by clicking Test Run. Learn more on how to test run an Enforcement Set.
   • Save the Enforcement Set and run it on all matching assets, by clicking Save and Run.
     You can view the results of all Enforcement Set runs on the Run History page.

Selecting the Assets

This section describes how to select the assets that the Enforcement Set will run on.

To select the assets

1. Under Run action on assets matching following query, from the Module list, select the module/asset type you want to query. Then, from the Select Query list, do one of the following:

   • Select a saved query from the list.

   

   • Click + Add Query to create a new query using the query wizard. To learn more about creating a new query, see Creating a New Query.

2. To see a preview of the results of the selected query, in Query Preview, click Load Preview. The following are displayed:

   • Query Count - The number of assets returned by the query.
   • Out of Total - The percentage of assets returned from all assets of the selected asset type.

Creating a New Query

Selecting the Enforcement Set Action

This section describes how to select the main action that the Enforcement Set runs.
The Enforcement Action Tile library is grouped by vendor (based on the action's adapter, except for 'Axonius Utilities'). For each vendor, the library displays the number of actions and the categories of the actions. It is possible to click the vendor to see all its actions, grouped by category.

• The Requires Credentials badge (yellow) appears near vendors with no configured adapter connection.
• You can toggle on Show Only Configured Adapters to show only vendors with configured adapters. In this case, the Requires Credentials badge does not appear on this page.
• You can click Expand All to expand all vendors to view their actions; Collapse All to hide all vendors' actions.
• Click a vendor to expand it and view all its actions.

In the screen below:

• The Airtable vendor has three Enforcement Actions of the category Manage Users and User Groups. The down arrow can be clicked to view these three actions.

• The Amazon Web Services (AWS) vendor has six Enforcement Actions and is expanded to show the actions grouped by the three categories - Notify, Manage AWS Services, and Manage Software.

To select the action

1. In the Create Enforcement Set drawer, click the Select Action tab. The Select an action page opens.

2. To show only those Enforcement Actions with configured adapters, toggle on Show Only Configured Adapters.

3. Select an Enforcement Action in one of the following ways:

   • Scroll the list of vendors (in alphabetical order) until you reach the required vendor, click the vendor to view its actions, and click the Action you want.
   • In the Search Action field, begin typing the name of the Action you want. The list is automatically filtered as you type.
   • From the Category dropdown, select one or more categories, and then open the Action under the required Vendor.
     The configuration screen of the selected action opens. It has a tab for Required Fields and one or more tabs for additional optional fields divided into categories - one tab per category, to the right of the Required Fields tab. If there is only one category, the tab is labeled Additional Fields.
     The following is an Enforcement Action with fields divided into four tabs.

7. In the Required Fields tab, fill in the following fields:
   • In Action name, use the default name provided or enter a new meaningful name. The given name must be unique.
   • If you want to configure dynamic values for this action, toggle on Configure Dynamic Values and Define the statement with the assistance of the Dynamic Value Statement Wizard or the Syntax Helper with Autocomplete feature (the default; see screen below). To learn more about statement syntax, see Creating Enforcement Action Dynamic Value Statements.

8. Fill in the remaining Required Fields for the Main Action. To learn more about each Enforcement Action and its required fields, navigate to the Enforcement Action documentation from the Enforcement Action Index.

9. Once all required fields are filled in, you can test the connection to the Adapter by clicking Test Connection. This functionality is not available for all Enforcement Actions.

10. Click each additional tab and provide values for the optional fields that you want to use. See the Enforcement Action Index for details on each field of each Enforcement Action.

Scheduling the Enforcement Set Runs

By default, Enforcement Sets are run every Discovery Cycle. You can configure scheduling in order to run the Enforcement Set automatically at specified times.

To schedule Enforcement Set runs

1. In the Create Enforcement Set drawer, click the Select Schedule tab.
2. In the Select a Schedule Plan page that opens, click On.
3. Set the scheduling parameters.

Naming the Enforcement Set

This section describes how to name the Enforcement Set and provide a description of it. The Enforcement Set name must be unique.

To name the Enforcement Set

1. Click the Enforcement Set Name tab.
2. In the Enforcement Set name field, use the default name provided or type a different meaningful name for the Enforcement Set.
3. In Description, optionally type a description of the Enforcement Set.

Configuring Success, Failure, and Post Enforcement Actions

An Enforcement Set can include one or more Success, Failure, or Post Actions.

• Success Actions are run on each asset for which the Main Action completes successfully.
• Failure Actions are run on each asset for which the Main Action does not complete successfully.
• Post Actions are run on ALL assets matching the query after the Main action has completed.

As actions are added, they are organized under the Main Action as shown below:

To configure Success, Failure, and Post Enforcement Actions

1. At the bottom of the Create Enforcement Set drawer, click Advanced options. A two-pane Enforcement Set drawer opens with Overview in the left pane and a description of the selected item in the right pane.

2. To add an Action, hover the mouse pointer over button under Main Action. The types of actions you can add are displayed.

3. Click one of the Action type buttons:
   • If you select + Success Actions, the Add Success Action drawer opens.
   • If you select + Failure Actions, the Add Failure Action drawer opens.
   • If you select + Post Actions, the Add Post Action drawer opens.
4. In the drawer that opens, [select a Success/Failure/Post Action][(#selecting-the-enforcement-set-action) to add. A Success Actions / Failure Actions /Post Actions title is added (indented) under the Main Action, and the selected Action tile appears under that title. Action details are displayed in the right pane. Configure all required fields and whatever optional fields you want.

4. To remove or replace a Success/Failure/Post Action, click the More Actions menu in the tile of the action, and click Remove Action to remove the action or Replace Action to select another action of the same type (Success, Failure, or Post) as the replaced action.
   

5. To add more Actions:

6. By default, the Main Action is run first, then all other Actions are run concurrently.

   • To require all actions in the Enforcement Set to run serially in the order of their configuration, at the top of the Overview pane, click the gear icon and toggle on Apply action execution order.

   

   When this option is enabled, all Success Actions are run according to their configured order. Then, all Failure Actions are run according to their configured order. Lastly, all Post Actions are run according to their configured order.

   Note:

   Enabling this option affects the time it takes the Enforcement Set to run. Running Actions concurrently generally takes less time than running them in order.

7. By default, all actions following the Main Action run as soon as they appear in the ready to execute queue. To delay the execution of a Success, Failure, or Post Enforcement Action, click the Immediate button on the Action pane, and configure the delay of the action. Learn more on how to configure the action delay.

8. When you have added and configured all the Actions you want, do one of the following:

   • To save the Enforcement Set and continue editing, click Save. The Enforcement Set is saved.
   • To test the outcome of the Actions, click Test Run. See Testing an Enforcement Set for more information on using Test Run.
   • To save the Enforcement Set and run it, click Save and Run. The Enforcement Center page is displayed with the My Enforcements folder selected. You can view the results of all Enforcement Set runs on the Run History page. See Viewing Run History.

Delaying Enforcement Action Execution

You can configure a Post, Success, or Failure action to execute immediately when its turn arrives in the 'ready to execute' queue (the default), or delay its execution by a certain number of days or weeks.

Example
You want to send an email reminder to customers to let them know that their software license is expiring and will be revoked in a month. You want to automate the actual revoking of the license to occur one month later in order to give the customers time to investigate similar software options or renew the license. In this case, the Main Action is Axonius - Send Email and the Post Action is revoking permissions to the software license. You delay this Post Action by one month.

To delay Enforcement Action execution

1. In the top right of the Success/Failure/Post Action configuration pane, click the Immediate button. A dialog opens for selecting Immediate (the default) or Delay.

2. Select Delay, and then define the length of the delay:
   • From the second dropdown, select the unit of time: Days or Weeks.
   • From the first dropdown, select the number of units.

The button shows the configured delay. For example, Delayed by 5 weeks.