Use cases and sample payloads

Assuming the default action is to ACCEPT an audit and the user wants to discard the audits conditionally, you must understand the rules payload for some of the common use case scenarios.

Discard temporary and test hive_table audits (Nested rules example)

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"hive_table",
         "condition":"AND",
         "criterion":[
            {
               "operator":"==",
               "attributeName":"temporary",
               "attributeValue":"false"
            },
            {
               "condition":"OR",
               "criterion":[
                  {
                     "operator":"==",
                     "attributeName":"name",
                     "attributeValue":"tmp"
                  },
                  {
                     "operator":"==",
                     "attributeName":"qualifiedName",
                     "attributeValue":"tmp"
                  }
               ]
            }
         ]
      }
   ]
}

Discard all audits of a type

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"hive_table"
      }
   ]
}

Discard all update audits for all entities

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"”_ALL_ENTITY_TYPES”",
         "operator":"==",
         "attributeName":"operationType",
         "attributeValue":"ENTITY_UPDATE"
      }
   ]
}

Discard all CLASSIFICATION_ADD audits for all entities

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"_ALL_ENTITY_TYPES",
         "operator":"==",
         "attributeName":"operationType",
         "attributeValue":"CLASSIFICATION_ADD"
      }
   ]
}

Discard audits of event for a specific type based on attribute value

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"hive_table",
         "condition":"AND",
         "criterion":[
            {
               "operator":"==",
               "attributeName":"operationType",
               "attributeValue":"ENTITY_UPDATE"
            },
            {
               "operator":"==",
               "attributeName":"name",
               "attributeValue":"employee"
            }
         ]
      }
   ]
}

Discard audits for all types under a hook type (Regex supported with wildcard character *)

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"hive*",
         "operator":"==",
         "attributeName":"operationType",
         "attributeValue":"CLASSIFICATION_ADD"
      }
   ]
}

Discard all audits of a type and its sub types

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"Asset",
         "includeSubTypes":true
      }
   ]
}

CSV of type-names is supported

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"hive_table,hbase_table",
         "attributeName":"name",
         "operator":"contains",
         "attributeValue":"test1"
      }
   ]
}