Adding Conditions
When adding conditions, decide how the new condition ties to existing conditions. If AND is used, the new condition has to occur in addition to existing conditions. If OR is used, the new condition or any existing conditions have to occur. If NOT is used, all but the new condition has to occur.
You use the AND, OR, and NOT operators to define relationships between condition statements. When you use AND, the new condition must occur in addition to the selected condition. Using OR means either the selected or new condition must occur. Using NOT means all but the new condition must occur.
Tip: Multiple assets and asset categories added to a single asset condition are always OR’ed together (not AND’ed).
For example, create a new rule, click the Conditions tab in the Rule Editor, select Assets, and add some asset categories to the condition. (To do this, select them on the Asset Categories tab at the bottom of the Editor and click Apply.
Click the Summary tab to view the detail of the Boolean logic. This shows that the assets are OR’ed together.
If you want to AND an asset condition to other conditions, go back to the Edit tab, select the event definition again, and add other conditions based on the fields shown in the lower half of the editor.
To add more condition statements, right-click an existing statement and choose New Logical Operator, then And, Or, or Not, or click a logical operator or resource-selection button. Then, create the new condition statement.
Event-definition and Join conditions are allowed only with rules to include separate events or aliases, or correlation of these separate events respectively.
In the data field table, scroll to a data field in the Name column to create a condition statement.
Data fields provide event details from all devices deployed throughout your enterprise. Event details from these devices are normalized into common data fields and stored in the database to allow investigative and analytical comparison of all incoming events. See Data Fields and Timestamp Variables for more information.
The data field table displays a Name, Operator, and Condition column. These three columns are combined to create <data field> <logic operator> <data field value> condition statements. For example, if monitoring a Cisco Router, you could define a condition statement to specify Device Product = Cisco Router: Device Product as the data field, equals (=) as the logic operator, and Cisco Router as the data field value.
See also:
- Search Box to Find Fields in the List
- Field Comparisons with Variable or Static Values
- Creating Matching or Join Conditions (if you are creating rules)