Login
    Contents x
    Enforcement Action Dynamic Value Statement Syntax Table
    • 02 Apr 2024
    • 7 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Enforcement Action Dynamic Value Statement Syntax Table

    • Updated on 02 Apr 2024
    • 7 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    The following table describes the syntax of all Dynamic Value statement (also referred to as "statement") types and the available functions and operators. 

    The syntax in the table includes:

    • [asset type] - The asset type on which to apply the statement.
    • form.field - A field in the selected Enforcement Action Configuration dialog.
    • adapter.field - A field from the selected adapter.
    • itemN - A value or single value field (number or string type).

    In a Dynamic Value statement, form.field and adapter.field must be of the same field type (e.g., both number or both string).

    Learn some useful tips and tricks for working with dynamic value statements.

    See Dynamic Value Statement Examples and Use Cases for some detailed examples.

    ElementTypeSyntaxNotes
    allStatement[asset type] all then form.field set_valueExamples:
    device all then form.field set_value
    user all then form.field set_value
    vulnerability all then form.field set_value
    software all then form.field set_value

    See set_value below for options.
    switch/caseStatement

    switch [adapter.field]
    case operator then form.field set_value

    		Operators support functions. A value can be used instead of an operator.
    addFunctionadd (item1, item2,…, itemN)Supports a list of number arguments (values and/or single value number type fields).
    Adds the number arguments in the list. 
    averageFunctionaverage ([adapter.field])Returns the average of the number values in the list. The field type of adapter.field is a list (array) of numbers.
    by_keyFunctionby_key ([adapter_complex_field_path], key_to_search_by, value_to_search, key_to_pick)In an adapter’s complex field ([adapter_complex_field_path]), searches in its specified object (key_to_search_by) for a specific value (value_to_search) and returns the value (key_to_pick) that is in another of its objects.
    Notes:
    • This function supports only an exact comparison. It does not support a comparison between one value from a list object and value_to_search in the statement.
    • This function does not support aggregated complex fields (which are in fact arrays of complex fields).
      For example, device all then form.tag_name set_value by_key ([device.specific_data.data.plugin_and_severities], "plugin_id", " 10395", "severity") does not work, as Plugins Information  (device.specific_data.data.plugin_and_severities) is not supported as it is an aggregated complex field, which combines several similar adapter fields into an aggregated one. In order for this function to work, use an adapter specific field, such as Tenable IO Plugins Information (device.adapters_data.tenable_io_adapter.plugin_and_severities).
    concatFunctionconcat (item1, item2,…, itemN)Supports a list of string arguments (values and/or single value string type fields).
    Concatenates the string arguments in the list. 
    countFunctioncount ([adapter.field])Counts and returns the number of values in a list. The field type of adapter.field is a list (array) of numbers.
    date_formatFunctiondate_format ([adapter.field], "format")Formats a date field using any of the following formats for the date and time:
    • %Y - Year (four digits)
    • %m - Month (01-12)
    • %d - Day of the month (01-31) 
    • %H - Hour (00-23) 
    • %M - Minute (00-59) 
    • %S - Second (00-60) 
    • %L - Millisecond (000-999) 
    • %j - Day of the year (001-366) 
    • %w - Day of the week (0-6, Sunday is 0) 
    • %a - Abbreviated weekday name (Sun, Mon, Tue, etc.) 
    • %A - Full weekday name (Sunday, Monday, Tuesday, etc.) 
    • %Z - Timezone (e.g., EST, PST, UTC)
    Note:
    • M = minute; m = month
    • The date_format function does not work with lists (arrays). In order for this function to work when used on list fields, add a function that selects one value from the list, for example, date_format ((max([adapter.field]), "format")
    divideFunctiondivide (item1, item2,…, itemN)Supports a list of number arguments (values and/or single value number type fields). Divides the number values in the list from left to right.
    joinFunctionjoin ([adapter.field], delimiter)Converts/flattens a list (array) into a single string of values separated by a delimiter.
    maxFunctionmax ([adapter.field])
    max (item1, item2,…, itemN)    		Returns the highest number value in the list. The field type of adapter.field is a list (array) of numbers.
    minFunctionmin ([adapter.field])
    min (item1, item2,…, itemN)    		Returns the lowest number value in the list. The field type of adapter.field is a list (array) of numbers.
    multiplyFunctionmultiply (item1, item2,…, itemN)Supports a list of number arguments (values and/or single value number type fields). Multiplies the number values in the list.
    nowFunctionnow ()Returns today's date and time formatted YYYY-mm-dd HH:MM:SS. For example: 2023-08-22 10:03:04
    regex_replaceFunctionregex_replace([adapter.field], regex_expression, replace_value)The regex_replace function returns the string value in adapter.field, and replaces the part of the string that matches regex_expression with the value in replace_value. Note that replace_value can also be a function that returns a string.
    Example: device all then form.tag_name set_value regex_replace ([device.specific_data.data.name], "(.*?)-", "banana")
    splitFunctionsplit([adapter.field], delimiter)Splits the string (in adapter.field) at the delimiter character and creates a list of the separate strings separated by commas.
    substringFunction (string manipulation)substring([adapter.field], start_index, end_index)Returns a substring of the field value, beginning from the specified start position in the string until the specified end position in the string.
    For example: substring('first last', 6, 10) = last
    subtractFunctionsubtract(item1, item2)Returns the result of subtracting item2 from item1. Supports two numbers (typed or values from fields) or two date-time fields. When subtracting two date-time fields, the result is the number of days with one decimal point. For example: 2.3
    Note: This function expects exactly two numbers or dates. If a list (array) field is used in the function instead of a single value field, the function fails and the action field in all assets is set to the fallback static value.
    sumFunctionsum ([adapter.field])Returns the sum of all the number values in the list. The field type of adapter.field is a list (array) of numbers. 
    to_lowerFunction (string manipulation)to_lower ([adapter.field])Convert the string in adapter.field to lowercase. 
    to_upperFunction (string manipulation)to_upper ([adapter.field])Convert the string in adapter.field to uppercase. 
    uniqueFunctionunique ([adapter.field])
    unique (nested function)

    		unique ([adapter.field]) returns the unique values in the list. The field type of adapter.field is a list (array) of values.
    unique (nested function) returns the unique results of a function.
    alsoOperatorform.field1 set_value "string1" also form.field2 set_value "string2"

    Applies dynamic content to two or more fields in an action.
    For example: form.field1 set_value "aaa" also form.field2 set_value "XXX"

    containsOperatorcase contains (“string”)

    For lists - True if at least one item="string".
    For string fields - True if part of the string value in the field ="string".
    For example: case contains (“aaa”)

    not_containsOperatorcase not_contains (“string”)

    For lists - True if at least one item not ="string".
    For string fields - True if "string" does not appear in all or part of the string value in the field.
    For example: case not_contains (“aaa”)

    countOperatorcase count (number value)Counts and matches the number of items in a list.
    For example: case count (10)
    starts_withOperatorcase starts_with (“string”)

    For lists - True if at least one item starts with "string".
    For string fields - True if the string value starts with "string".
    See also not_starts_with.
    For example: case starts_with (“aaa”)

    ends_withOperatorcase ends_with (“string”)

    For lists - True if at least one item ends with "string".
    For string fields - True if the string value in the field ends with "string". See also not_ends_with.
    For example: case ends_with (“aaa”) 

    inOperatorcase in (“string1”, "string2", ..., "stringN")

    For lists - True if at least one item is equivalent to one of the strings in the parentheses (string1, string2, or ..., stringN).
    See also not_in.
    For example: case in (“aaa”, "bbb", "ccc") 

    not_inOperatorcase not_in (“string1”, "string2", ..., "stringN")

    For lists - True if at least one item is not equivalent to one of the strings in the parentheses (string1, string2, or ..., stringN).
    For example: case not_in (“aaa”, "bbb", "ccc") 

    not_starts_withOperatorcase not_starts_with (“string”)For lists - True if at least one item does not start with "string".
    For string fields - True if the string value in the field does not start with "string".
    For example: case not_starts_with (“aaa”)
    not_ends_withOperatorcase not_ends_with (“string”)For lists - True if at least one item does not end with "string".
    For string fields - True if the string value in the field does not end with "string".
    For example: case not_ends_with (“aaa”)
    field_equalOperatorcase field_equal (“string”)True if the exact given string is identical to the string value in the field.
    Examples:
    case field_equal (“google”) for string fields
    case field_equal (“8.3”) for number fields
    case field_equal (true) for boolean fields
    field_not_equalOperatorcase field_not_equal (“string”)True if the exact given string is not identical to the string value in the field.
    Examples:
    case field_not_equal (“google”)
    case field_not_equal (“8.3”)
    case field_not_equal (true)
    field_existsOperatorswitch adapter.field
    case field_exists then form.field set_value “value”    		Tests whether adapter.field exists. If true, sets the value of form.field to "value".
    field_not_existsOperatorswitch adapter.field
    case field_not_exists then form.field set_value “value”    		Tests whether adapter.field exists. If false, sets the value of form.field to "value".
    in_netOperatorswitch [adapter.field]
    case in_net (IP address range) then form.field set_value “value”    		Tests whether the IP addresses in adapter.field (list field) or IP address in adapter.field (string field) are in the specified IP address range.  
    If true, sets the value of form.field to "value".
    IP address range can be in the format "10.10.0.4/3.6" or "10.10.0.4-10.10.3.6"
    Can compare to multiple comma-separated subnets.
    Valid for IPv4 and IPv6 addresses.
    not_in_netOperatorswitch [adapter.field]
    case not_in_net (IP address range) then form.field set_value “value”    		Tests whether the IP addresses in adapter.field (list field) or IP address in adapter.field (string field) are in the specified IP address range.  
    If false, sets the value of form.field to "value".
    IP address range can be in the format "10.10.0.4/3.6" or "10.10.0.4-10.10.3.6"
    Can compare to multiple comma-separated subnets.
    Valid for IPv4 and IPv6 addresses.
    gtOperatorswitch [adapter.field] case gt(number value)
    switch [adapter.field1] case gt([adapter.field2])    		Tests whether the number value in adapter.field is greater than the specified number value (for example, 10).
    OR
    Tests whether the number value in adapter.field1 is greater than the number value in adapter.field2.
    ltOperatorswitch [adapter.field] case lt(number value)
    switch [adapter.field1] case lt([adapter.field2])    		Tests whether the number value in adapter.field is less than the specified number value (for example, 20).
    OR
    Tests whether the number value in adapter.field1 is less than the number value in adapter.field2.
    set_valueOperatorset_value “string”
    set_value [adapter.field]
    set_value [adapter.field_path]
    set_value function ()
    set_value item1 or item2 ... or itemN    		Multiple (nested) functions can be used. The field type of adapter.field and adapter.field_path must match the field type of form.field. For example, both fields must be string type or both number type.
    Note that "or" is supported with set_value inside a Case statement to set the value of the action field to the first field value in the "or" list that exists on the asset. item1 or item2 ... or itemN


    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout