You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/automate-incident-handling-with-automation-rules.md
+6-3Lines changed: 6 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -119,9 +119,12 @@ An incident property's value was
119
119
120
120
#### Items vs. collections
121
121
122
-
For incident properties that are collections of items, such as tags—an incident can have multiple tags applied to it—you can define conditions that check **each item in the collection separately**, and conditions that check **the entire collection as a unit**.
122
+
For incident properties that are collections of items, such as tags—an incident can have multiple tags applied to it—you can define conditions that check **each item in the collection individually**, and conditions that check **the entire collection as a unit**.
123
123
124
-
This distinction matters when your condition is a negative (does not equal, does not contain, and so on), and some items in the collection fulfill the condition and others don't.
124
+
-**Any individual item** operators check the condition against every item in the collection. The evaluation is *true* when *at least one item* satisfies the condition.
125
+
-**Collection of all items** operators check the condition against the collection of items as a single unit. The evaluation is *true* only if *the collection as a whole* satisfies the condition.
126
+
127
+
This distinction matters when your condition is a negative (does not equal, does not contain, and so on), and some items in the collection satisfy the condition and others don't.
125
128
126
129
Let's look at an example where your condition is, **Tag does not contain "2024"**, and you have two incidents, each with two tags:
127
130
@@ -132,7 +135,7 @@ Let's look at an example where your condition is, **Tag does not contain "2024"*
132
135
133
136
In this example, in *Incident 1*:
134
137
- If the condition checks each tag individually, then since there's at least one tag that *fulfills the condition* (that *doesn't* contain "2024"), the overall condition is **true**.
135
-
- If the condition checks the entire collection as a unit, then since there's at least one tag that *doesn't fulfill the condition* (that *does* contain "2024"), the overall condition is **false**.
138
+
- If the condition checks all the tags in the incident as a single unit, then since there's at least one tag that *doesn't fulfill the condition* (that *does* contain "2024"), the overall condition is **false**.
136
139
137
140
In *Incident 2*, the outcome will be the same, regardless of which type of condition is defined.
0 commit comments