Enforcement Action Dynamic Value Statement Syntax Table
The following table describes the syntax of all Dynamic Value statement (also referred to as "statement") types and the available functions and operators.
Private notes
- All field types can be configured as either a single value or a list (array) with multiple values.
- Mathematical functions (add, divide, max, min, multiply, subtract, sum) can include only number value types, and the subtract function can alternatively include two date-time fields. Otherwise, the function fails, which in turn causes the entire statement to fail.
- When using a function, use only single value fields or use an internal function to verify this. If a field contains more than one value (i.e., is a list (array)), the function fails and the action field in all assets is set to the fallback static value.
- When using a function, if one or more fields are missing a value, the function fails and the action field in the asset is set to the fallback static value.
The syntax in the table includes:
- [asset type] - The asset type on which to apply the statement.
- form.field - A field in the selected Enforcement Action Configuration dialog.
- adapter.field - A field from the selected adapter.
- itemN - A value or single value field (number or string type).
In a Dynamic Value statement, form.field and adapter.field must be of the same field type (e.g., both number or both string).
Learn some useful tips and tricks for working with dynamic value statements.
See Dynamic Value Statement Examples and Use Cases for some detailed examples.
| Element | Type | Syntax | Notes |
|---|---|---|---|
| all | Statement | [asset type] all then form.field set_value | Examples: device all then form.field set_value user all then form.field set_value vulnerability all then form.field set_value software all then form.field set_value See set_value below for options. |
| switch/case | Statement | switch [adapter.field] case operator then form.field set_value | Operators support functions. A value can be used instead of an operator. |
| add | Function | add (item1, item2,…, itemN) | Supports a list of number arguments (values and/or single value number type fields). Adds the number arguments in the list. |
| array | Function | array ([adapter.field1],[adapter.field2],..., [adapter.fieldN]) | Creates an array of multiple fields. Each field input to the function can be an adapter field or text string. The array resulting from this function can be written into a single multi-value custom field (of type array (list)). |
| average | Function | average ([adapter.field]) | Returns the average of the number values in the list. The field type of adapter.field is a list (array) of numbers. |
| by_key | Function | by_key ([adapter_complex_field_path], field_to_compare, by_value, field_to_pick) | adapter_complex_field_path - The path to the complex field.field_to_compare - The field in the object to compare with by_value.by_value - The string value to match against the field_to_compare.field_to_pick - The field value from the first matched object.The function checks each object of the complex field ([adapter_complex_field_path]), checks each object until it finds a match between the specified field (field_to_compare) and the specified value (by_value). The function returns the value in another specified field (field_to_pick) from that first object with a match. **Notes:**This function supports only an exact comparison. It does not support a comparison between one value from a list field (field_to_compare) and a by_value.This function does not support aggregated complex fields (which are in fact arrays of complex fields). For example, device all then form.tag_name set_value by_key ([device.specific_data.data.plugin_and_severities], "plugin_id", " 10395", "severity") does not work, as Plugins Information (device.specific_data.data.plugin_and_severities) is not supported as it is an aggregated complex field, which combines several similar adapter fields into an aggregated one. In order for this function to work, use an adapter specific field, such as Tenable IO Plugins Information (device.adapters_data.tenable_io_adapter.plugin_and_severities). |
| concat | Function | concat (item1, item2,…, itemN) | Supports a list of string arguments (values and/or single value string type fields). Concatenates the string arguments in the list. |
| concat_array | Function | concat_array ([adapter.field], [adapter.field],...,[adapter.field]) | Joins one or more arrays into a single array. For example: concat_array (list1 {a, b, c}, list2 [d, e, f, g]) --> [a, b, c, d, e, f, g] |
| concat_prefix | Function | concat_prefix ("prefix", [adapter.field]) | Appends a prefix to each field value in a list (array). The field type of adapter.field is a list (array) of values. For example:concat_prefix ("prefix", [adapter.field]) --> [prefixfield1, prefixfield2] |
| count | Function | count ([adapter.field]) | Counts and returns the number of values in a list. The field type of adapter.field is a list (array) of numbers. |
| date_format | Function | date_format ([adapter.field], "format") | Formats a date field using any of the following formats for the date and time:%Y -Year (four digits)%m - Month (01-12)%d - Day of the month (01-31) %H - Hour (00-23) %M - Minute (00-59) **%S -**Second (00-60) %L - Millisecond (000-999) %j - Day of the year (001-366) %w - Day of the week (0-6, Sunday is 0) %a - Abbreviated weekday name (Sun, Mon, Tue, etc.) %A - Full weekday name (Sunday, Monday, Tuesday, etc.) %Z - Timezone (e.g., EST, PST, UTC)**Note:**M = minute; m = monthThe date_format function does not work with lists (arrays). In order for this function to work when used on list fields, add a function that selects one value from the list, for example, date_format ((max([adapter.field]), "format") |
| divide | Function | divide (item1, item2,…, itemN) | Supports a list of number arguments (values and/or single value number type fields). Divides the number values in the list from left to right. |
| filter | Function | filter ([field], Operator, Criteria) | The filter function filters values from single values or arrays (lists). This gives the flexibility to configure a filter within a workflow without being limited to a predefined saved query. The function has the following parameters:field- A Single Value String or a Multiple Values String field.Operator- The comparison to be applied. Supported operators are contains, not_contains, gt (greater than), lt (less than), and regex. It is possible to combine multiple operators and criteria.Example: filter ([1,5,3], gt, "2") returns the output: [5,3] |
| filter_by_key | Function | filter_by_key ([adapter_complex_field_path], field_to_compare, by_value, field_to_pick) | The filter_by_keyfunction filters data within complex fields and extracts a specific field value based on matching conditions.adapter_complex_field_path - The path to the complex field being filtered.field_to_compare - The field in the object to compare with by_value.by_value - The string value to match against the field_to_compare.field_to_pick - The field whose values are added to the resulting list for all matched objects.The function checks each object of the complex field ([adapter_complex_field_path]) to see if the specified field (field_to_compare) is equivalent to the specified value (by_value). From each object with a match, places the value from another specified field (field_to_pick) into a comma-separated list. This list is returned by this function. **Notes:**This function fetches a field from each object in the complex field with a matching field value, as opposed to the by_key function that only fetches a field from the first object with a match.This function supports only an exact comparison. It does not support a comparison between one value from a list field (field_to_compare) and a by_value.This function does not support aggregated complex fields (which are in fact arrays of complex fields). See the example in the by_key function above. |
| generate_string | Function | generate_string (Length, Character Mode) | The generate_string function creates secure, random strings of a specified length and character composition. This function is useful for generating unique identifiers, temporary passwords, security tokens, or other security-related strings directly within an automation workflow. The function has the following parameters:Length - The total number of characters in the generated string (default: 16).Character Mode- Determines the types of characters included in the string.alphanumeric (default) - Generates a string composed of uppercase letters (A-Z), lowercase letters (a-z), numbers (0-9), and symbols. Example output: mYp@$$wOrd123hex - Generates a string using only hexadecimal characters (0-9 and a-f). Each pair of characters (e.g., "4b") can be converted to a byte (8 bits) of binary data. Example output: 4b7a9c3f2e1d6a4b (a sequence of 16 hexadecimal characters). letters- Generates a string using only uppercase and lowercase letters. Example output: AvsgYjdnVnumbers- Generates a string using only numbers. Example output: 673913487 |
| join | Function | join ([adapter.field], delimiter) | Converts/flattens a list (array) into a single string of values separated by a delimiter. |
| max | Function | max ([adapter.field]) max (item1, item2,…, itemN) | Returns the highest number value in the list. The field type of adapter.field is a list (array) of numbers. |
| min | Function | min ([adapter.field]) min (item1, item2,…, itemN) | Returns the lowest number value in the list. The field type of adapter.field is a list (array) of numbers. |
| multiply | Function | multiply (item1, item2,…, itemN) | Supports a list of number arguments (values and/or single value number type fields). Multiplies the number values in the list. |
| now | Function | now () | Returns today's date and time formatted YYYY-mm-dd HH:MM:SS. For example: 2023-08-22 10:03:04 |
| regex_extract | Function | regex_extract([adapter.field], "regex_expression", index) | The Regular Expression function regex_extract extracts from adapter.field the string that matches regex_expression so that it can be used to populate Custom Fields or Tags. If index is not specified, it captures the first occurrence of the string in adapter.field. If index is specified (optional), it extracts the occurrence of the string specified by the index (0is first occurrence, 1 is second, and so on). Example: device all then form.field_value set_value regex_extract([device.specific_data.data.name],"([a-zA-Z]{2}\d{3})",1) |
| regex_replace | Function | regex_replace([adapter.field], regex_expression, replace_value) | The regex_replace function returns the string value in adapter.field, and replaces the part of the string that matches regex_expression with the value in replace_value. Note that replace_value can also be a function that returns a string. Example: device all then form.tag_name set_value regex_replace ([device.specific_data.data.name], "(.*?)-", "banana") |
| relation | Function | [relation.[asset type]("[relationship name] ").[adapter.field]] | The relation function fetches data from a field in a related asset (i.e., an asset that is related to the Action Center action asset via a Relationship). For example, when running an action on a ticket, it is possible to retrieve data from an associated user based on a defined ticket-user Relationship. [asset type] - The related asset type to pull data from. [relationship name] - The name of the Relationship defined in the system. Learn more about Relationships. [adapter.field] - The name of the field in the related asset. You can retrieve the entire Relationship field name in the format relation.asset_type("relationship_name").adapter_field via the Relationship Fields tab in the Syntax Helper and then enclose it in [] . For example, relation.disk("Has").specific_data.data.asset_type This function is supported by the Dynamic Value Statement Wizard. |
| split | Function | split([adapter.field], delimiter) | Splits the string (in adapter.field) at the delimiter character and creates a list of the separate strings separated by commas. |
| substring | Function (string manipulation) | substring([adapter.field], start_index, length) | Returns a substring of the field value, beginning from the specified start position in the string for the length specified. For example: substring('firstmiddlelast', 6, 3) = mid |
| subtract | Function | subtract(item1, item2) | Returns the result of subtracting item2 from item1. Supports two numbers (typed or values from fields) or two date-time fields. When subtracting two date-time fields, the result is the number of days with one decimal point. For example: 2.3 Note: This function expects exactly two numbers or dates. When using list (array) fields in the subtraction, it is recommended to add min or max functions so that the subtract is done on single value fields. Otherwise, if a list (array) field is used in the function instead of a single value field, although the syntax validates successfully, the function fails and the action field in all assets is set to the fallback static value. |
| sum | Function | sum ([adapter.field]) | Returns the sum of all the number values in the list. The field type of adapter.field is a list (array) of numbers. |
| title_case | Function | title_case ([adapter.field]) | Converts the input string to title case.Capitalizes the first letter of each word.Does not alter numeric characters or special symbols.If a word begins with a number or symbol, the first letter after that number or symbol is capitalized.Example: *user all then form.mailSubject set_value title_case([user.specific_data.data.username])*Input: john doe_123-exampleOutput: John Doe_123-Example |
| to_date | Function | to_date (number of milliseconds) | Converts the results of a date calculation (epoch date in milliseconds) to a date in human-readable Date format. For example: device all then form.field_date.now set_value to_date (add(now(),2592000000)) sets the date to 30 days (=2592000000 milliseconds) from the current date. Note: When you create a Dynamic Value Statement for adding a custom date field, ensure to useform.field_date.specific with Date type set to Specific date, as a dynamic date can be written only to this type of Date field. Do not use form.field_date.now or a field with Date type set to Now, as this type of field cannot accept dynamic input, and regardless of the statement, its value is always the action runtime. |
| to_int | Function | to_int ([adapter.field]) | Converts a string or float value in an array (list field) or single value field to an integer value. The value type of adapter.field is String or Float. For example: device all then form.field_value set_value to_int ([device.specific_data.data.cpus.cores]) converts a field value of 7.0 (float) to 7 (integer) |
| to_lower | Function (string manipulation) | to_lower ([adapter.field]) | Converts the string in adapter.field to lowercase. |
| to_table | Function | to_table ([adapter.field], column definitions) | Converts a complex field (list of objects) into a formatted HTML table by mapping specified data fields to table headers. to_table ([adapter.field], [(header: "Column 1 Name", field: "field_1"), (header: "Column 2 Name", field: "field_2")])adapter.field - The complex field (list of objects) that you want to convert into a table. Each object in this list provides the data for a single row in the output. column definitions (list of objects) - This list defines the headers and corresponding data fields for each column. Each object in this list requires two properties: header (string) - The column title that will be displayed in the HTML table.field(string)**- The name of the sub-field (property) within each object in adapter.field from which to extract data for the column. Example: The following example converts a list of software objects into an HTML table with two columns 'SW UID' and 'Name.** *to_table([device.specific_data.data.installed_software], [(header: "SW UID", field: "sw_uid"), (header: "Name", field: "name")])* **Output**: Renders a complete HTML table with SW UID' and 'Name' as headers. The rows are populated with the sw_uid and name values from the installed_software list. |
| to_upper | Function (string manipulation) | to_upper ([adapter.field]) | Converts the string in adapter.field to uppercase. |
| unique | Function | unique ([adapter.field]) unique (nested function) | unique ([adapter.field]) returns the unique values in the list. The field type of adapter.field is a list (array) of values. unique (nested function) returns the unique results of a function. |
| also | Operator | form.field1 set_value "string1" also form.field2 set_value "string2" | Applies dynamic content to two or more fields in an action. For example: form.field1 set_value "aaa" also form.field2 set_value "XXX" |
| contains | Operator | case contains (“string”) | For lists - True if at least one item="string". For string fields - True if part of the string value in the field ="string". For example: case contains (“aaa”) |
| not_contains | Operator | case not_contains (“string”) | For lists - True if at least one item not ="string". For string fields - True if "string" does not appear in all or part of the string value in the field. For example: case not_contains (“aaa”) |
| count | Operator | case count (number value) | Counts and matches the number of items in a list. For example: case count (10) |
| starts_with | Operator | case starts_with (“string”) | For lists - True if at least one item starts with "string". For string fields - True if the string value starts with "string". See also not_starts_with. For example: case starts_with (“aaa”) |
| ends_with | Operator | case ends_with (“string”) | For lists - True if at least one item ends with "string". For string fields - True if the string value in the field ends with "string". See also not_ends_with. For example: case ends_with (“aaa”) |
| in | Operator | case in ([“string1”, "string2", ..., "stringN"]) | For lists - True if at least one item is equivalent to one of the strings in the square brackets [string1, string2,..., stringN]. See also not_in. For example: case in ([“aaa”, "bbb", "ccc"]) |
| not_in | Operator | case not_in ([“string1”, "string2", ..., "stringN"]) | For lists - True if at least one item is not equivalent to one of the strings in the square brackets [string1, string2,..., stringN]. For example: case not_in ([“aaa”, "bbb", "ccc"]) |
| not_starts_with | Operator | case not_starts_with (“string”) | For lists - True if at least one item does not start with "string". For string fields - True if the string value in the field does not start with "string". For example: case not_starts_with (“aaa”) |
| not_ends_with | Operator | case not_ends_with (“string”) | For lists - True if at least one item does not end with "string". For string fields - True if the string value in the field does not end with "string". For example: case not_ends_with (“aaa”) |
| field_equal | Operator | case field_equal (“string”) | True if the exact given string is identical to the string value in the field. Examples: case field_equal (“google”) for string fields case field_equal (“8.3”) for number fields case field_equal (true) for boolean fields |
| field_not_equal | Operator | case field_not_equal (“string”) | True if the exact given string is not identical to the string value in the field. Examples: case field_not_equal (“google”) case field_not_equal (“8.3”) case field_not_equal (true) |
| field_exists | Operator | switch adapter.field case field_exists then form.field set_value “value” | Tests whether adapter.field exists. If true, sets the value of form.field to "value". |
| field_not_exists | Operator | switch adapter.field case field_not_exists then form.field set_value “value” | Tests whether adapter.field exists. If false, sets the value of form.field to "value". |
| in_net | Operator | switch [adapter.field] case in_net (subnet range) then form.field set_value “value” | Tests if a subnet range in adapter.field (list field) or a single subnet in adapter.field (string field) is within the specified range. If the subnet or subnet range is within the specified range, sets the value of form.field to "value". Accepts subnet ranges in CIDR notation Example of IPv4 subnet range: "172.16.0.0/20". 172.16.0.0 is the network address. This range includes IP addresses from 172.16.0.0 to 172.16.15.255. 172.16.0.1 - 172.16.15.254 is the range expressed with a hyphen, and shows the first and last usable host address within the subnet. Allows comparison against multiple comma-separated subnets. Supports both IPv4 and IPv6 subnet masks. |
| not_in_net | Operator | switch [adapter.field] case not_in_net (subnet range) then form.field set_value “value” | Tests if a subnet range in adapter.field (list field) or a single subnet in adapter.field (string field) is not within the specified range. If the subnet or subnet range is not within the specified range, sets the value of form.field to "value". Accepts subnet ranges in CIDR notation Example of IPv4 subnet range: "192.168.1.0/24". 192.168.1.0 is the network address. This range includes IP addresses from 192.168.1.0 to 192.168.1.255 192.168.1.1 - 192.168.1.254 is the range expressed with a hyphen, and shows the first and last usable host address within the subnet. Allows comparison against multiple comma-separated subnets. Supports both IPv4 and IPv6 subnet masks. |
| gt | Operator | switch [adapter.field] case gt(number value) switch [adapter.field1] case gt([adapter.field2]) | Tests whether the number value in adapter.field is greater than the specified number value (for example, 10). OR Tests whether the number value in adapter.field1 is greater than the number value in adapter.field2. |
| lt | Operator | switch [adapter.field] case lt(number value) switch [adapter.field1] case lt([adapter.field2]) | Tests whether the number value in adapter.field is less than the specified number value (for example, 20). OR Tests whether the number value in adapter.field1 is less than the number value in adapter.field2. |
| set_value | Operator | set_value “string” set_value [adapter.field] set_value [adapter.field_path] set_value true; set_value false for Boolean fields set_value function () set_value item1 or item2 ... or itemN | Multiple (nested) functions can be used. The field type of adapter.field and adapter.field_path must match the field type of form.field. For example, both fields must be string type or both number type. Note that "or" is supported with set_value inside a Case statement to set the value of the action field to the first field value in the "or" list that exists on the asset. item1 or item2 ... or itemN |
Updated about 14 hours ago