Adding or editing conditions
There are two types of conditions; a triggering condition and a non-triggering condition. A triggering condition is a condition that happens now. A non-triggering condition is a condition that has occurred in the past. In policies, triggering and non-triggering conditions can be combined when evaluating a current condition against past conditions (for example, correlating high severity events (triggering) with past configuration changes (non-triggering).
All Compliance Violations Cleared Now
All configuration compliance violations on the current configurations have been cleared.
All Discrepancies Cleared Now
All configuration discrepancies for the triggering device have been cleared.
Change Detected Now
A configuration change has been detected.
Change Detected Past
A configuration change was detected in the past 2 days.
Compliance Violation Detected Now
A configuration compliance violation was detected based on one or more Rules on a device.
Config Change Now
A potential configuration change has occurred on a device.
Deploy to Active Request Failed Now
A user or policy-based Deploy to Active action for a device has failed.
|External Change Task Close Failure Now||The External Change Task Close task has failed.|
|Hardware Change Detected Now||The system has detected a hardware change on a device (for example, new or removed board, flash, or memory chip.)|
Discrepancy Detected Now
A configuration discrepancy has been detected. A discrepancy is a difference between the trusted production and the current device configuration.
OS Version Changed Past
A change in the OS version has occurred within the past two days.
Remediate Request Failed Now
A user or policy remediation with a rule, rule set, or all assigned rules has failed for a device.
Severity (0/1) Now
Received a high severity (0/1) event from a device.
Severity (0/1) Past
Received multiple high severity (0/1) events in the past two days.
Snapshot Request Failed Now
A user or policy-based configuration snapshot for a device failed.
This topic describes how to add or edit conditions for use in a policy and shows some examples.
To add or edit policy conditions
Open the Conditions page by clicking the Policies tab, and selecting Policies > Conditions.
Perform one of the following actions:
Icon Action Description Add Add a new condition. Edit Edit an existing condition in the relevant row. Copy Create a new condition by copying and editing an existing condition in the relevant row.
Enter or update information in the following fields:
Specify a unique name for the condition. Up to 40 characters.
Select a keyword for the condition to match. Select if triggering (now) or non-triggering (past) condition.
Select the network span. When the network span is Entire Network, Realm or Group, you can use Filter Devices to further narrow which devices to include in the policy. Select the blank or empty network span when an operation (for example, delete a rule or add a role) is executed and the keyword matches an event whose target is not a network span (for example, the target is a user or a job). Select a non-blank network span to match events whose target is a device, group, or realm.
The Entire Network option appears only for the users who have the Full Rights network right. Only users with the Full Rights network right can then manage (edit, copy, and delete) a condition that is assigned to the entire network.
(Required, non-triggering condition only) Specify for duration for condition. For example, a condition stating a configuration change has been detected in past 48 hours would set the Keyword = Change Detected and Duration to Last 2 Day(s).
(Required, non-triggering condition only) Specify the number of times the keyword event must occur for the selected Network Span and Duration for the condition to be true.
- Click Save.
The following figures show the editing of two out-of-the-box conditions, a triggering condition and a non-triggering condition. Click each figure to enlarge.
- Severity (0/1) Now condition, a triggering condition which detects the receipt of a high severity event from any device
- Change Detected Past condition, a non-triggering condition
In a policy, a non-triggering condition is evaluated after a triggering condition is received. For example, Severity (0/1) Now AND Change Detected Past can be used to correlate the high severity event with a prior configuration change.