Login
    Contents x
    Rules Overview
    • 31 Mar 2024
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Rules Overview

    • Updated on 31 Mar 2024
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    The Findings Center includes the following type of Findings Rules:

    • Custom rules - Rule type = System Rule. Integrated rules as well as rules that you create on any query and entity type - both assets and system events (adapter fetches, activity logs), as well as existing system notifications (CPU, memory, and more).

    Alerts are triggered based on these rules.

    From the Rules Manager tab in the Findings center, you can do the following:

    • Customize new Custom rules.
    • Create new Custom rules based on Axonius predefined rule templates.
    • Activate/deactivate rules.

    You can configure Custom rules to trigger alerts based on complex conditions, including:

    • Single query criteria thresholds - Checks if a query returns a number of assets more or less than a specified number. For example, checks for more/less than Y adapter connections.
    • Query comparison - Compares the number of assets returned by two different queries. Queries can be of two different asset types, thus supporting cross-entity comparisons. Creates an alert if Query A returns X% more assets than Query B.
    • Timeline comparison - Compares simple and multiple queries over time. Creates an alert if Query A returns X% more assets today than it did yesterday.

    These condition types cover all use cases and can be adapted to different vendors and asset types.

    You can configure how often to run a Custom rule to check for alerts, as well as how often to mute notifications on alerts to ensure optimal signal-to-noise ratio in your system. For example, you can configure a Custom rule to create an alert if Tanium coverage suddenly drops. However, as you know that it usually takes one or two weeks to fix such an issue, you can set the muting conditions to notify you of the alert only once in two weeks, thus reducing noise in the system.

    You can also configure a Custom rule to send notifications on alerts via external communication mediums (for example, email or Slack) using enforcement actions from the Notify category.

    Note:

    It is important to configure rules that result in the minimum possible false positive alerts.

    From the Rules Manager page, you can do the following:

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout