Definition Tab

The Definition tab of the Workflow Wizard is used to specify the criteria that triggers the rule and whether the rule applies to the results found in each location or to all of the results found in a search. The definition is required and cannot be empty.

The Definition tab has four components:

Field Description
Scope

Specify whether the rule applies to a location or a search.

  • Location: Select Location if you want the rule to apply to each result found in each location. For example, if you are using Total AnyFind Count in your definition and you set it to a specific value, such as greater than 8, then there must be more than 8 AnyFind's in a particular location in order for the rule to apply. If there are more than 8 AnyFind's in the entire search, but not more than 8 in a particular location, then the rule does not apply as totals are calculated separately for each location.
  • Search: Select Search if you want the rule to apply collectively to all of the results found in each search. For example, if you are using AnyFind Count in your definition and you set it to a specific value, such as greater than 8, and three locations have been searched, each containing fewer than 8 AnyFind's but more than 8 aggregate, then the rule applies as totals are calculated collectively for the entire search.
Type

Specify when definitions which are linked with an AND condition are met.

  • A single result matches all of the conditions: Selecting this option requires a single result in a search location to match all of the conditions in a definition for the rule to be applied.
  • A group of results match all of the conditions: Selecting this option requires a group of results in a search location to match all of the conditions in a definition for the rule to be applied. Additionally, when the filter is set to Quantity, Action, or Data Types; you can create horizontal AND groups. Within a horizontal AND group all conditions must be met by a single result to be considered a match.
Totals Totals are calculated differently depending on how Type is set. If Type is set to "A single result matches all of the conditions", then totals are calculated across only those results that match all of the conditions and totals display "Calculate totals across only those results that match all of the conditions". If Type is set to "A group of results match all of the conditions" then totals are calculated across all of the results in the location and totals display "Calculate totals across all of the results in the location."
Definition

Define a filter for the rule that is run against imported results data to determine whether the rule applies. To create a definition, select a filter type from the filter drop-down, an operator from the operator drop-down and enter a value in the value field.

  • The available filters are:
    • Access Date: A filter which restricts based on the date and time that the file was last accessed. If the (All day) option is selected, the time portion of the filter does not display. If the (All day) option is not selected, the time portion of the filter displays and is applied.
    • ACL: ACE Type: A filter which restricts based upon the ACE (Access Control Entry) Type. (Allow, Deny, System Alarm and System Audit.)
    • ACL: Authorization: A filter which restricts based upon the specific rights granted to the trustee, such as the ability to read, write or delete the file.
    • ACL: Trustee: A filter which restricts based upon the individual user or group to which the access rights apply.
    • Action: A filter which restricts based upon an action that has been performed on a result. When using "Action" as a filter and Type is set as "A group of results match all of the conditions", another plus sign displays to the right of the Definition. This plus sign allows for the creation of horizontal AND groups. Within that horizontal group all conditions must be met by a single row to be considered a match.
    • Create Date: A filter which restricts based on the date and time that the file was created.
    • Data Types: A filter which restricts based upon the data type. (SSN, CCN, phone number, etc.) When using "Data Types" as a filter and Type is set as "A group of results match all of the conditions", another plus sign displays to the right of the Definition. This plus sign allows for the creation of horizontal AND groups. Within that horizontal group all conditions must be met by a single row to be considered a match. When using "Data Types" as a filter and Dictionary is selected, a drop-down called "Name:" displays from which you can select from the available dictionaries.
    • Location: A filter which restricts by the location information available.
    • Location Type: A filter which restricts by the type of location found. (PDF file, Microsoft Excel Worksheet, JPEG image, etc.)
    • Location Type General: A filter which restricts based upon the general type of location of the result. For example, database table instead of the specific type of database.
    • Modify Date: A filter which restricts based on the date and time that the file was last modified.
    • Owner:A filter which restricts based on object owner information, when this information is available.
    • Quantity: A filter which restricts based upon the number of instances of a match for a single results row in a location. For example, if you selected Quantity from the list of filters, Equals from the list of operators and entered a value of 10, then only those locations with 10 instances of a unique data type would match this rule. (e.g. If the social security number "123-45-6789" or the telephone number "413-555-1234" occurred exactly 10 times in a single location , then it would match this rule.) When using "Quantity" as the filter and Type is set as "A group of results match all of the conditions", a gray plus sign displays to the right of the definition. This plus sign allows for the creation of a horizontal AND group. Within that horizontal group all conditions must be met by a single result to be considered a match.
    • Search User Name: A filter which restricts by selecting specific user name information already collected for existing objects.
    • Search Users: A filter which restricts based upon the user account context under which the search was executed. For User scheduled tasks, this is the user name with which the user logged onto the system. For System scheduled tasks this is SYSTEM for Windows and root for Mac OS. Selectable from a list.
    • Source Endpoint IP Range: A filter which restricts based upon the IP addresses reported to the Console of the endpoint which ran the search.
    • Source Endpoint Tags: A filter which restricts based upon the tags of which the endpoint which ran the search is a member. This is a Console only variable that cannot be processed at the endpoint.
    • Target Endpoint IP Range: A filter which restricts based upon the IP addresses reported to the Console of the endpoint on which the result was found.
    • Target Endpoint Tags: A filter which restricts based upon the tags of which the endpoint on which the result was found is a member of. This is a Console only variable that cannot be processed at the endpoint.
    • Task Name: A filter which restricts by the task name as entered in the Add New Task dialog in the Scheduled Tasks section of a policy or "Search Now" for a task executed via the Search button on the ribbon. A search that was executed interactively on the Agent does not have a search name, and though it displays as "User Initiated", it only matches the "Is Empty" operator in a workflow rule. A scheduled task that has been deleted after it has executed but prior to the workflow rules being run displays as <Task Deleted> and only matches the "Is Empty" operator in a workflow rule.
    • Tasks: A filter which restricts based upon the Scheduled Task Name as entered in the Scheduled Tasks section of a policy.
    • Total AnyFind Count: A filter which restricts based upon the total number of AnyFinds. If you select Total AnyFind Count, an additional drop-down displays containing the complete list of AnyFinds from which you may select one.
    • Total Data Types: A filter which restricts based upon the total number of data types.
    • Total Matches: A filter which restricts based upon the total number of matches.
    • Total Unique Matches: A filter which restricts based upon the total number of unique matches.
  • The list of operators differs depending on the filter that is selected. The complete list of available operators are:
    • Equals
    • Does Not Equal
    • Contains
    • Does Not Contain
    • Begins With
    • Does Not Begin With
    • Ends With
    • Does Not End With
    • Greater Than Or Equals
    • Greater Than
    • Less Than Or Equals
    • Less Than
    • Is Empty
    • Is Not Empty
  • Value field: Specify the value to be used to qualify the data. For example, if you selected Total Matches from the list of filters, Equals from the list of operators and entered a value of 10, then only those locations with 10 total matches would match this rule.

To add additional filters, click the gray split button on the right or the green plus button above the current group.

To remove a filter, click the gray X to the left of the filter name.

After you add, edit or remove a definition you must either click the Finish button to save your changes or Cancel button to discard your changes. If you try to select another classification or rule without clicking the Finish or Cancel button, you are prompted with a confirmation dialog that reads, "Do you want to save the current rule?" Select Yes to save your changes, No to discard them or Cancel to return to the rule.