Appearance
Evaluate a Policy
Policy evaluation is the process of checking your assets against the rulesets defined in a policy. This page explains how evaluation works, how to trigger it, and how to interpret the results.
Automatic Evaluation
AttackLens evaluates policies automatically when:
- New inventory data is collected by a sensor or discovery adapter
- A policy is activated or modified
- A ruleset referenced by the policy is updated
- The feed delivers updated built-in rulesets
INFO
Automatic evaluation runs as part of the posture evaluation pipeline. There is no need to manually trigger evaluation in most workflows.
Evaluation Process
When a policy is evaluated against an asset, AttackLens follows this process:
1. Prerequisite Check
The policy's prerequisites are checked against the asset's inventory data. If any prerequisite fails, the entire policy is skipped for that asset.
2. Section Traversal
AttackLens traverses the policy's section tree and identifies all rulesets assigned to each section.
3. Ruleset Evaluation
For each ruleset in the policy:
- Ruleset prerequisites are checked (e.g., "requires OpenSSH installed")
- Applicability conditions are verified (e.g., "only applies to Windows servers")
- Checks are executed against the asset's inventory data
- The ruleset produces a result: Pass, Fail, or Error
4. Finding Creation
A finding is created or updated for each asset-ruleset combination. The finding records:
- The evaluation result (Pass, Fail, Error)
- The evaluation timestamp
- The actor (System or User)
- A reason explaining why the check passed or failed
5. Posture Score Calculation
AttackLens calculates a posture score for each asset against the policy:
Posture Score = (Passed Rules / Total Rules) x 100The overall policy posture score is the aggregate across all targeted assets.
Understanding Evaluation Results
| Result | Meaning |
|---|---|
| Pass | The asset satisfies the ruleset's requirements |
| Fail | The asset does not meet the ruleset's requirements |
| Error | The ruleset could not be evaluated (e.g., missing inventory data, evaluation exception) |
Evaluation Actors
| Actor | Description |
|---|---|
| System | The evaluation was performed automatically by the posture evaluation pipeline |
| User | The finding result was manually overridden by a user |
Viewing Evaluation Results
From the Policy Detail Page
- Navigate to Policies and click on a policy
- Select the Status tab
- View the overall posture score, pass/fail/error counts, and per-asset breakdown
From the Findings Page
- Navigate to Findings in the left menu
- Filter by the specific policy name
- View individual findings with their evaluation history
From the Asset Detail Page
- Navigate to Assets and click on an asset
- View the Policy Status section to see all policies evaluated against this asset
Evaluation Metrics
The policy status page displays the following metrics:
| Metric | Description |
|---|---|
| Total Assets | Number of assets evaluated by this policy |
| Overall Posture | Aggregate compliance percentage across all assets |
| Total Rules | Number of ruleset checks in the policy |
| Total Scans | Total number of evaluation runs across all assets |
| Passed Rules | Count of rules that passed across all assets |
| Failed Rules | Count of rules that failed across all assets |
| Error Rules | Count of rules that encountered errors |
| Overrides Applied | Number of findings with manual result overrides |
Posture Trend
The policy status page includes a Posture Trend chart that shows how the policy's compliance score has changed over time. You can view trends for the last 7, 30, 90, or 180 days.
TIP
A declining posture trend may indicate new assets being added without proper configuration, or changes in the environment that introduce non-compliance. Investigate failing assets promptly.
Related Pages
- Policy Status: Detailed breakdown of the status dashboard
- Understanding Findings: Learn about evaluation results
- View Findings: Browse and filter all findings