From the dropdown list provided, you can select the comparison type as one among the following: equals, contains, starts with, ends with, less than, greater than, between, is malicious, not equals, not contains, not starts with, not ends with, not between, link to, is constant, or is variable.
Note: When you provide more than one value for an equals comparison, the set of values provided are treated as a list of possible values and the action is accepted if any one value from the list is true. The same holds true for the contains, starts with, ends with, less than, greater than, and between comparisons.
When you provide more than one not equals comparison, the set of values provided need to hold true for the action to be accepted. The same holds true for the not contains, not starts with, not ends with, and not between comparisons.
Less than, greater than, between, and not between conditions are applicable only for IP, port number, and privilege fields.
Port range is between 0 and 65535.
Privilege range is between 1 and 15.
The link to comparison type is used to check the value of the selected field against the value of a field in another action (belonging to the same rule). For instance, if the field Device type of Action 1 is linked to Action 2's Device type value, then Action 1 would get triggered only if the value of both the linked fields are the same.
When you choose link to, the icon appears at the end of the filter. Clicking on the icon will present a new tab.
Click the check box corresponding to the field of the second action against which you want to compare the value of the previous action. Click OK to complete linking the two actions.
Note: Using the link to condition, you cannot link a field to another one having the is variable condition.
The is constant condition is used to treat the specific field as constant. When you select this condition, this action will get triggered when the field's value remains constant in all the iterations. For instance, if the is variable condition is applied for the 'Target User' field in an action, the action would get triggered when the value of this field is the same in all iterations. The action doesn't get triggered if events get generated with different values for that field.
The 'is variable' condition is used to treat a field as a variable. When you select this condition, this action will get triggered when the field's value keeps changing each time it is checked. For instance, if the is variable condition is applied for the 'Target User' field in an action, the action would get triggered when the value of the field is different in each iteration.
Note: A field having the is variable condition cannot be linked to another one using the link to condition.
The 'is malicious' condition is available only for IP address fields. It can be used to check if the detected IP address is present in the predefined list of malicious IP addresses that the product has stored in the internal database.