Condition Tree Command Buttons
All of the following options are available from buttons at the top of the Conditions Editor and also from right-click menu options. The exception is the "In Case" Condition which is only available from a right-click menu option.
|
Button |
Name |
Use |
|---|---|---|
|
|
New Event Definition |
Insert a new condition tree in the editor. |
|
|
AND |
Insert an AND condition. |
|
|
OR |
Insert an OR condition. |
|
|
NOT |
Insert a NOT condition. |
|
|
Filters |
Matches Filter condition. This resource-based command browses the Filters tree of the Navigator panel. Note that this operator applies only to rules. |
|
|
Assets |
Assets condition. This resource-based command browses the Assets tree of the Navigator panel. Note that this operator applies only to rules. |
|
Vulnerabilities |
Vulnerabilities condition. This resource-based command browses the Vulnerabilities tree of the Navigator panel. Note that this operator applies only to rules. |
|
Active Lists | Active Lists condition. This resource-based command browses the Active Lists tree of the Navigator panel. Note that this operator applies only to rules. |
|
Joins | Matching Event condition. Applies when there are two or more event conditions. |
|
|
Vulnerabilities |
Has Vulnerability condition. This resource-based command browses the Vulnerabilities tree in the Navigator panel. |
|
|
Active List |
InActiveList condition. This command browses the Navigator panel's Active Lists tree, and operates on items in the event and actor schemas. It is used to map a field or a global variable in the event schema to a corresponding field in an active list. It does not evaluate items in other non-event schemas (such as cases or assets). The InActiveList operator option evaluates single-value attributes and multi-value attributes. The field you map could return multiple values. In the case of multi-value attributes, if any one value matches, the condition evaluates to true. Consider this scenario for multi-value attributes: An active list keeps track of actor roles where role values can be one of Normal, Restricted, or Privileged. You can test if an actor has one of these roles. If your list has a field called RoleName, you map the actor’s RoleName attribute to this field. Keep in mind that an actor’s RoleName attribute is multi-valued because an actor can have multiple roles. Through the InActiveList condition, you can have a query that checks if one of the actor’s roles is Privileged. A condition that tests for whether all or any values in a list match is only available to specify on queries and on in-memory operations such as rules, filters, data monitors. Note: The InActiveList condition in lightweight rules does not support lists with multi-mapped values. |
|
|
Joins |
Inserts a Join or Matching Event condition. Note: This option applies only to Rules. See Creating Matching or Join Conditions. |
