How can we help you?

It is often necessary to use a more complex filter when building out a Respond Rule.  Specifically, it can be helpful for a Respond rule to trigger when an alert "Does Not Contain" a particular value.  

In one example you may want Respond to trigger when a Policy Event - Security Policy Change occurs but not as a result of Sharepoint making a change.  Additionally, there may be other values you would not want Respond to trigger on for this event.  

When looking in the Analysis Module at the details for an event, the "Magnifying Glass" icon displays the extent of the information provided by the API for an event.  The "Description Details" or jointDesc Additional contains valuable information that can be used to configure a Respond Filter:

When configuring a Respond Filter, the jointDescAdditional is equal to "Description Details".  In this example, we do NOT want Respond to trigger when "Sharepoint" is in the jointDescAdditional field. Additionally, there may be other terms or applications you don't want Respond to trigger on when a Security Policy Change occurrs.  Thinking of this scenario from a "Plain English" standpoint, you may believe the following logic is correct however this would be an example of how NOT to configure the rule:

Using this filter configuration does not allow the logic to check each value, Respond will trigger on the first value (NT AUTHORITY) without looking at the rest of the values (Sharepoint, AVG0, AVG1).

The correct way to use multiple values for Description Details is to use an AND statement within the same filter:

In this example Respond will check each value for Description Details before triggering or not.