Rules Overview

From the Rules Manager tab in the Findings center, you can customize new rules or create new rules based on Axonius predefined rule templates.

It is important to configure rules that result in the minimum possible false positive alerts.
You can configure findings rule to trigger alerts based on complex conditions, including:

• Single query criteria thresholds - Checks if a query returns a number of assets more or less than a specified number. For example, checks for more/less than Y adapter connections.
• Query comparison - Compares the number of assets returned by two different queries. Queries can be of two different asset types, thus supporting cross-entity comparisons. Creates an alert if Query A returns X% more assets than Query B.
• Timeline comparison - Compares simple and multiple queries over time. Creates an alert if Query A returns X% more assets today than it did yesterday.

These condition types cover all use cases and can be adapted to different vendors and asset types.

You can configure how often to run a rule to check for alerts, as well as how often to mute notifications on alerts to ensure optimal signal-to-noise ratio in your system. For example, you can configure a rule to create an alert if Tanium coverage suddenly drops. However, as you know that it usually takes one or two weeks to fix such an issue, you can set the muting conditions to notify you of the alert only once in two weeks, thus reducing noise in the system.

You can also configure a rule to send notifications on alerts via external communication mediums (for example, email or Slack) using enforcement actions from the Notify category.

From the Rules Manager page, you can do the following:

• View all rules that have been defined in the system.
• View more detailed information on a findings rule.
• Create a findings rule.
• Modify, delete, activate, or deactivate a findings rule.