Skip to main content

Modify Predicate

Modifies (patches without overwriting) a single predicate by its unique ID.

Basic Parameters

ParameterDescription
PredicateThe attributes of the predicate to overwrite. Provide only the attributes that need to be changed.For instance:
{  "status": "active"}
Predicate IDPredicate's unique ID (uuid).

Advanced Parameters

ParameterDescription
ConsistencyReturn when data is ready for read or query.
Correlation IDID to correlate multiple requests.
TimeoutTime to wait before consistency=query throws.
Transaction IDID for a transaction.

Example Output

{
"_status": {
"status": 0,
"code": "string"
},
"_meta": {
"stats": {
"offset": 0,
"limit": 0,
"total": 0
},
"origin": {}
},
"definition": {
"$and": [
{
"$stringStartsWith": {
"message.kind": {
"$value": "email",
"$assignIfTrue": [
{
"$dstIndex": "condition.RoyalMessage.methodEmail",
"$srcMode": "const",
"$srcParam": true
}
],
"$assignIfFalse": [
{
"$dstIndex": "condition.RoyalMessage.methodEmail",
"$srcMode": "const",
"$srcParam": false
}
]
}
}
},
{
"$stringMatch": {
"message.sender.email": {
"$value": "@proofpoint[^\\.]*",
"$assignIfTrue": [
{
"$dstIndex": "condition.RoyalMessage.emailHit",
"$srcMode": "match"
},
{
"$dstIndex": "condition.RoyalMessage.emailHitFirst",
"$srcMode": "first"
},
{
"$dstIndex": "condition.RoyalMessage.emailHitLast",
"$srcMode": "last"
},
{
"$dstIndex": "condition.RoyalMessage.emailHitRange",
"$srcMode": "array",
"$srcParam": [
{
"$srcMode": "first"
},
{
"$srcMode": "last"
}
]
}
],
"$assignIfFalse": [
{
"$dstIndex": "condition.RoyalMessage.emailMiss",
"$srcMode": "param",
"srcParam": "message.sender.email"
}
]
}
}
},
{
"$stringBetween": {
"message.sender.displayName": [
"king",
"queen"
],
"$assignIfTrue": [
{
"$dstIndex": "condition.RoyalMessage.title",
"$srcMode": "param",
"$srcParam": "message.sender.displayName"
}
]
}
}
]
},
"details": {
"name": "USA Part Codes",
"description": "Two-letter codes of all USA parts including states, territories and the DC",
"meta": {}
},
"alias": "USA_PART_CODES",
"iver": 319,
"kind": "it:predicate:custom:match",
"purposes": [
"it:purpose:detection:rule:condition",
"it:purpose:endpoint:policy:match",
"it:purpose:exploration:search:filter",
"it:purpose:authorization:abac:condition"
],
"sver": "1.2.3",
"createdAt": "2018-04-12T16:36:51.700Z",
"createdBy": {
"principal": {
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
},
"clients": [
{
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
}
]
},
"updatedAt": "2018-04-12T16:36:51.700Z",
"updatedBy": {
"principal": {
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
},
"clients": [
{
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
}
]
},
"tenant": 123456789,
"extent": "tenant",
"status": "active",
"risk": {
"default": {}
},
"tags": [
"rules",
"windows",
"agent"
],
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
}

Workflow Library Example

Modify Predicate with Proofpoint Itm and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop