When you create a Monitor, you define the expected results for each Action that is run. You can configure the Actions so they match the pass/fail definitions assigned by your Validation Platform Admins, or you can tailor the definitions. Since Monitors are used to notify you when environmental drift issues occur, most organizations choose to define Action-specific pass/fail requirements, as described in the following list.
- Expected Blocked*: Yes or No
Expected Detected*: Yes or No
Required Events: (Optional) One or more events selected that must be there when the monitor is run
Any event listed will be an event that were generated when the Action was run. If the Action has never been run, no events will be listed.
NOTE: When Expected Detected is Yes but you do not select specific events, as long as one event fires, the Action will be marked as passed.
NOTE: Expected Blocked and Expected Detected both have a third value: Does Not Matter. This option cannot be used by both fields because it tells the platform that the value of the field should be ignored and not counted towards the Monitor's pass/fail status.
As an example, your instance of the Validation Platform is configured with the default pass/fail definition, so all Actions are marked as Passed if they are either blocked or detected. However, you know your security controls block and detect Bartalex, so you configure the monitor to require both blocked and detected. You also know that one of your controls always fire specific Events when Bartalex is seen, so you mark those as a requirement for the Monitor to pass as well.
IMPORTANT: The pass/fail status of a Monitor is not finalized until after the events detection window has completed. This is configured in the platform's Advanced Settings. The time should match or exceed the query time of your integrations.