search cancel

How to associate conditionid with policy via SQL query

book

Article ID: 214940

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Discover Data Loss Prevention Network Protect Data Loss Prevention Network Monitor and Prevent for Email Data Loss Prevention Endpoint Suite

Issue/Introduction

You've noticed some detection issue, performance, false positives, false negatives, etc. The relevant logs point you in the direction of a specific condition based on that condition ID, and you need to find the name of the condition and policy it is associated with. 

Cause

When problematic conditions show up in the logs, there is no reference to the policy that condition is a part of, nor the name of the condition itself. 

Environment

Release :

Component :

Resolution

You can run the following SQL query to list the Policy and condition names, as well as their associated IDs. Simply replace<list of condition ids> with a comma separated list of conditionids found to be causing issues. 

select 
    p.policyid
    , p.name "PolicyName"
    , dr.name "RuleName"    
    , dr.toplevelconditionid
    , cv.conditionid
    , cv.name "ConditionName"
    , cv.type 
from policy p
join detectionrule dr
    on p.policyid = dr.policyid
join conditiondetectionrule cdr
    on dr.toplevelconditionid = cdr.toplevelconditionid
join conditionview cv
    on cdr.conditionid = cv.conditionid
where cdr.conditionid in (<list of condition ids>);