Creating a Findings Rule

You can fully customize a Findings Custom rule (rule of Rule type = System Rule) or create a new one on the basis of a rule template predefined by Axonius.

To create a Findings Custom rule

1. In the Rules Manager page, click . The Create Rule dialog opens. The Rule type is System Rule (not modifiable).

2. From the Rule Template dropdown, select a template on which to base the new rule.

   • Select Custom to define a rule from scratch. In this case, the fields of the rule dialog are filled in with default values.
     

   • Select an Axonius-defined rule template to use as a basis for the new rule. The available rule templates are listed in the dropdown in alphabetical order (see screen below). Once selected, the fields in the Create Rule drawer are filled in with those of the selected rule template. You can edit/set the fields and options in the rule, according to steps 4 to 10 below.

4. In Rule Name, type a meaningful name for the rule. For template-based rules, the rule name is by default the template name. In this case, it is recommended to change the name.
5. Click + Add description, and in the Description field that opens, type a description of the rule (optional).
6. Select the Severity of the rule: Informational, Low (default), Medium, High, or Critical.
7. Set the trigger condition.
8. Schedule when to run the rule to check whether to trigger an alert and notify about it.
9. Add mute conditions to pause notifications for a certain period of time.
10. Configure external notification on the alert (optional; available only for customers with the Enforcement Center add-on).
11. Click Create. Note that the Create button becomes enabled only after all the fields required to create the rule are filled in.

Selecting a Trigger Condition

You can configure to create alerts based on rules configured with complex conditions, including the following types:

• Simple query threshold - Trigger an alert when a query returns more/less than X (number) results. For example, when:
  • Adapter failed fetches > 0
  • There are more than 100 devices with 100+ installed SW
• Query comparison - Trigger an alert when query A returns X or X% more/less assets than query B. This enables cross-entity comparison, using a different asset in each query. For example, when:
  • Devices with Tanium fall below 95% of all devices.
  • Check that the number of devices is not more than 20% of the number of users.
  • More than 10% of all devices have over 50 critical CVEs.
  • There is more than a 10% difference between the number of Tanium and Windows devices.
• Query change over time - Timeline comparison. Trigger an alert when a query returns X or X(%) more/less results compared to Y days earlier. For example, when:
  • AD group gains more than 10% a week.
  • Number of CVEs grows more than 20% per day.
  • Number of managed devices drops more than 15% a week.

Setting the Simple Query Threshold Trigger

You can configure a Simple Query Threshold condition to trigger an alert when a defined query returns more/less than a specified number of assets.

To set the Simple Query Threshold trigger

1. From the Condition Type dropdown, select Simple query threshold.
   The following condition opens.
   

2. From the Module dropdown, select an asset module.

3. From the Select Query dropdown, select a query.

4. Select More or Less.

5. In the value box, type a number - the threshold to compare the number of assets returned by the query. Minimum possible value is 0.

Setting the Query Comparison Trigger

You can configure a Query Comparison condition to trigger an alert when query A returns X or X% more/less assets than query B.

To set the Query Comparison trigger

1. From the Condition Type dropdown, select Query Comparison.
   The following condition opens.
   
2. From the Module dropdown, select an asset module.
3. From the Select Query dropdown, select a query.
4. Click the % sign (blacken) to compare percentage, or leave as is to compare actual values.

   • Percentage comparison:
     

   • Actual values comparison:
     

5. In the value box, type a number. Minimum possible value is 0.
6. Select More or Less.
7. From the second Module and Select Query dropdowns, select a second module and query to compare with the first one (in steps 2 and 3).

Setting the Query Change over Time Trigger

You can configure a Query change over time condition to trigger an alert when a query returns X or X(%) more/less assets compared to Y days before the current execution time.

To set the Query change over time trigger

1. From the Condition Type dropdown, select Query change over time.
   The following condition opens.
   

2. From the Module dropdown, select an asset module.

3. From the Select Query dropdown, select a query.

4. In the value box, type a number. Minimum possible value is 0.

5. Click the % sign (blacken) to compare percentage, or leave as is to compare actual values.

   • Percentage comparison
     

   • Actual values comparison
     

6. Select More or Less.

7. In the days before box, type the number of days in the timeline prior to the current execution time. When the query executes, the number of resulting assets is compared to the number of assets resulting from the query run executed the configured number of days earlier.

Scheduling the Rule Checking

You can schedule when to check whether the assets that are returned from the query meet the trigger condition. The following scheduling is available:

• Every global discovery cycle (default)
• Every x hours
• Every x days
• Days of week
• Days of month

To schedule the rule

1. Click the Check and Notify box. The scheduling options dropdown opens.

2. From the Check and Notify dropdown, select one of the following options:

   • Every global discovery cycle (the default)
     

   • Every x hours - For this option, in Scheduled run every (hours), type the frequency in hours to check the rule.
     

   • Every x days - For this option, in Scheduled run every (days), type the frequency in days to check the rule, and in Scheduled run time, click the clock to select the time at which to run on those days.
     

   • Days of week - In Scheduled run day(s), remove the days on which to not run the rule, and in Scheduled run time, click the clock to select the time at which to run on those days.
     

   • Days of month - In Scheduled run day(s), remove the days on which to not run the rule, and in Scheduled run time, click the clock to select the time to run on those days.
     

Adding Mute Conditions

You can define mute conditions per alert rule to suppress alerts for a specified period of time. Instead of matching the same rule over and over again, you can make a pause following the first match, giving you the opportunity to fix the alert, and enabling the best signal to noise ratio.
Some examples:

• Pause for 24 hours after the first match.
• Suppress alerts on users who haven't changed passwords from December 23rd until January 6th.
• Trigger an alert if Tanium coverage suddenly drops. As you know it will take you one or two weeks to fix it, you can define a mute period of two weeks before you get another alert.

To add mute conditions

1. Toggle on Add Mute Conditions.
2. From the Mute Type dropdown, select one of the following:

   • Mute time after first alert (default) - Select the number of days to mute alerts after the first match.
     

   • Mute on specific dates - Select a specific period of time to mute alerts.
     

   • Mute daily in this time range - Select a specific time range during which to mute alerts every day. In From and To, select the start time and end time.
     

To remove mute conditions

1. Toggle off Add Mute Conditions.

Adding External Notification

You can configure an external notification for any alert in the system using an enforcement action from the Notify category. This creates an enforcement set in the FIndings Notification Enforcements folder and appears also in the Shared Enforcements folder. Once configured, when an alert is triggered, a notification is automatically sent to you via the selected notification system (for example, Slack or email).

To configure an external notification

1. In the Create Rule dialog, click + Add External Notification.
2. In the drawer that opens, from the Select Action dropdown, select the Notify category enforcement action to use to notify about the alert. The required and additional fields of the selected enforcement action open.

The following screen shows the results of selecting the enforcement action Slack - Send Message to Channel to send the external notification.

3. Fill in the required and additional fields, as relevant, and then click Apply. Note that the Apply button becomes enabled only after you fill in the required fields. The selected enforcement action is added to the Enforcement Center FIndings Notification Enforcements folder.