Combining logical conditions in investigations
Overview
Because of their strict logical interpretation, conditions may be difficult to get right in some kinds of investigations. Beware especially of literal translations from natural language to logical conditions, because they may lead to unexpected results.
To express what you really mean in an investigation, keep in mind that relations between objects in Nexthink are all related to events in some way. For example, if a device is linked to an application, it is because the application was executed at some point in that device. The system iterates through these relations to return the results of an investigation.
Combining logical AND, OR, and aggregate conditions
Consider a case where you want to get a list of the devices that have executed two different applications (e.g. Internet Explorer and Firefox) within a particular time frame, whose duration is irrelevant to our discussion. You may be tempted to use a logical AND (the default) to combine the conditions of an investigation on devices:
Condition 1: Application name is Internet Explorer
Condition 2: Application name is Firefox
Logical expression: 1 AND 2
If you run this investigation, the list of devices that you get is always empty. The reason is that any relation between a device and an application ultimately relies on executions and no execution may simultaneously satisfy the two conditions: it is either an Internet Explorer execution or a Firefox execution, but not both. When the system iterates through these relations, it discards them all because none is matching the two conditions at the same time, as required by the logical operator AND. Hence the empty result.
To properly state the desired query, keep the same conditions but modify a couple of inputs. First, change the logical expression from AND to OR:
Logical expression: 1 OR 2
In this way, the system keeps the relations that match either the first condition or the second. That is, you get all the devices that executed either Internet Explorer, Firefox, or both; although you are only interested in the last group.
Last, restrict the output to only those devices that executed the two applications. Add the following aggregate condition at the end of the conditions section:
Aggregate condition: Number of applications is 2
If you change your mind afterwards and decide to ask for the devices that executed either Internet Explorer or Firefox, but not both, use the following aggregate condition instead:
Aggregate condition: Number of applications is 1
Although not useful in the example, the logical AND is still the most common operator to combine conditions. Use it when you want to enforce two compatible conditions at the same time. For instance, to know the devices that use Internet Explorer for browsing a particular domain, say www.example.com, create an investigation on devices with the following conditions:
Condition 1: Application name is Internet Explorer
Condition 2: Domain name is www.example.com
Logical expression: 1 AND 2
Negating with an aggregate condition
Consider now the case of getting the list of devices that have not executed Firefox. By translating from natural language, you may wrongly assume that the following condition in an investigation on devices yields the correct result:
Condition: Application name is not Firefox
Instead, this investigation returns all the devices that have executed any application, except for those few devices that have exclusively executed Firefox (probably none, as devices typically execute multiple applications simultaneously). Most likely, the result will thus be the full list of active devices.
The correct way to negate a condition is to first state the condition in a positive way and then negate the statement with an aggregate condition that looks for zero instances. For our example with Firefox, that would be:
Condition: Application name is Firefox
Aggregate condition: Number of applications is 0
This way of negating conditions applies to many types of objects and events, such as executables, binaries, connections, packages, etc.
RELATED REFERENCE
Last updated