Documentation

Contents

Analyze Rules

Analyze Rules define when and why the agent flags an issue during enrollment. Each rule evaluates events collected during the session and produces a confidence score. If the score reaches the configured threshold the rule fires, creating a finding that appears in the session timeline and the analysis summary.

How scoring works

Every rule starts with a Base Confidence value (0–100). Confidence Factors are optional conditions that add or subtract points when matched. The final score is compared to the Confidence Threshold. The rule fires only if base + factors ≥ threshold.

Conditions

Conditions define what events or data the rule looks for. All required conditions must match for the rule to proceed to scoring. Optional conditions are used only as confidence factors.

Source: event_type

Checks whether a specific event type was emitted during the session. The most common condition type.

Signal

A label for this condition (e.g., app_failed)

Event Type

The exact event type to look for (e.g., app_install_failed)

Operator

exists — the event occurred at all

Example — detect any app installation failure

Signal: app_failed · Source: event_type · Event Type: app_install_failed · Operator: exists

Source: event_data

Inspects a field inside the data payload of a specific event type. Use this to match on values like error codes or app names.

Operators

  • equals — exact match
  • contains — substring match
  • regex — regular expression match
  • gt / lt / gte / lte — numeric comparisons
  • exists — field is present with any value

Common data fields

  • errorCode — Win32 / HTTP error code
  • appName — application name
  • exitCode — process exit code
  • phase — enrollment phase name

Example — detect error code 0x80070002

Source: event_data · Event Type: app_install_failed · Data Field: errorCode · Operator: equals · Value: 0x80070002

Source: event_count

Checks how many times a specific event type occurred. Use with count_gte or gt to detect repeated failures.

Example — detect 3 or more app failures

Source: event_count · Event Type: app_install_failed · Operator: count_gte · Value: 3

Source: phase_duration

Measures how long a specific enrollment phase took (in seconds). Use with gt or gte to detect phases that run too long.

Example — detect App Installation phase > 1 hour

Source: phase_duration · Data Field: AppsDevice · Operator: gt · Value: 3600

Source: event_correlation

Joins two event types on a shared field within a time window. Useful for detecting causal relationships — e.g., a network error that precedes a download failure.

Extra fields

  • Correlate Event Type — the second event to join with
  • Join Field — field that must match on both events
  • Time Window (s) — max seconds between the two events
  • Event A Filter — optional filter on the first event

Example — network error before download failure

Event Type A: network_error

Correlate Event Type: app_download_failed

Join Field: sessionId

Time Window: 120 seconds

Trigger Types

Single

Evaluates each matching event independently. The rule fires once for every event that satisfies all required conditions.

Correlation

Uses event_correlation conditions to join two event streams. Fires when matching pairs are found within the time window.

Confidence Scoring

The confidence model lets rules express uncertainty. A rule can fire with lower confidence when only partial evidence is present, and higher confidence when multiple corroborating signals align.

FieldDescription
baseConfidenceStarting score (0–100) when all required conditions match.
confidenceThresholdMinimum score needed to fire the rule.
confidenceFactorsOptional conditions that add or subtract points from the base score when matched.
Tip: Start with baseConfidence: 50 and confidenceThreshold: 40. Add confidence factors for additional signals (e.g., +20 if a specific error code matches, -10 if the app subsequently succeeded).

Example Rules

Example 1 — Repeated App Install Failure

Detect when three or more app installations fail in the same session

Category

apps

Severity

high

Base Confidence

60

Threshold

40

// Condition 1 (required)

source: "event_count" eventType: "app_install_failed" operator: "count_gte" value: "3"

// Confidence Factor (+20 if error code indicates timeout)

signal: "timeout_code" condition: "errorCode contains 0x800704C7" weight: 20

Example 2 — App Installation Phase Too Long

Fire when the Apps (Device) ESP phase exceeds 45 minutes

Category

esp

Severity

warning

Base Confidence

70

Threshold

50

// Condition (required)

source: "phase_duration" dataField: "AppsDevice" operator: "gt" value: "2700"

Example 3 — Network Error Preceding Download Failure

Correlate a network drop with a subsequent app download failure within 2 minutes

Trigger

correlation

Category

network

Base Confidence

75

Threshold

60

// Correlation condition

source: "event_correlation" eventType: "network_error"

correlateEventType: "app_download_failed" joinField: "sessionId" timeWindowSeconds: 120

Example 4 — Specific App Blocked by Disk Space

Detect a download stall caused by low disk space for a named application

Category

apps

Severity

critical

Base Confidence

55

Threshold

40

// Condition 1 — app failure occurred

source: "event_type" eventType: "app_install_failed" operator: "exists"

// Condition 2 — error code is disk-full (0x80070070)

source: "event_data" eventType: "app_install_failed" dataField: "errorCode" operator: "equals" value: "0x80070070"

// Confidence Factor (+30 if disk space event also fired)

signal: "disk_event" condition: "event_type disk_space_low exists" weight: 30

JSON editing

The Analyze Rules editor supports a JSON mode accessible via the Form / JSON toggle in the top-right of the create and edit panels. Use JSON mode to author complex rules with multiple conditions, confidence factors, remediation steps, and event_correlation properties that go beyond what the form UI exposes.

Autopilot Monitor v1.0.0