Best practices for condition sets
For certain scenarios, some best practices are recommended for the Operator and Matches fields in a policy condition set.
Scenario: use of "any of" in negative operator cases
-
In this example, "not equal to" and "does not contain" a set of IP addresses evaluates true for "any of" if either value matches the alert property value. Think of "any of" for these negative operator conditions as reading "any one of". Where any value matches a true will be "or'd" with false, resulting in true. For this reason, it is recommended to use "all of" instead which then operates as a definitive exclusion list.
In the following example, the policy evaluates true for an alert with
resource.ipAddressof9.8.9.8or8.9.8.9.
Scenario: use of "equal to" and "contains" for properties with alert.details or alert custom properties that have undefined values.
There can be inconsistent behaviors in a policy condition when the properties in alert.details or alert custom properties have undefined values.
-
If the alert does not have custompropA and custompropB, the "equal to" is evaluated to True.
-
If the alert does not have custompropA and custompropB, the "contains" is evaluated to False.
Scenario: looking for unassigned owners
-
If you need a policy condition to search for unassigned owners or teams, the is empty operator does not work with the
alert.owneroralert.teamproperties. Use the equal to operator instead, with only and enter a minus sign (-) value.