The Event Rules page, which you access by choosing on the console menu, includes several sample rules. You can click on the View Details button to open the Event rule details page for any of these rules to see how they are specified.
You also can use them (or any other existing rule) as a template for a new rule. For example, you can modify a rule to ban or analyze files and processes referenced when an event with Carbon Black EDRwatchlist subtype is reported.
In addition to the sample rules shown here, for a sample rule on deleting files, see Automating File Deletion Requests.
Sample Rule: Analyze files from approval requests
This rule sends any file for which an approval request is made to one or more analysis services.
By default, the rule sends files to WildFire, but you can change the rule to send files to any of the analysis services you have configured through the App Control Connector tab on the System Administration page, and can require a result from more than one service. Files that have already been reported by the services you choose are not sent for analysis. For more information about approval requests, see Approval Requests and Justifications. For more information about using App Control Connector to integrate analysis services with Carbon Black App Control, see App Control Connector .
The default properties of this rule are:
- Event Properties: Subtype is Approval request created
- File Properties: Analysis Result: Palo Alto Networks WildFire isUnknown
- Process Properties: None
- Action: Analyze file
- Priority: Medium
- (Analysis Service Choice): Unchecked
Sample Rule: Resolve approval requests for clean files
This rule performs two actions on files submitted in approval requests if they have been analyzed with WildFire and found to be Clean: it locally approves them, and it resolves the related approval request.
If used, this rule must be enabled along with the Analyze files from approval requests rule and ranked after it, so that files are analyzed before their approval requests are resolved.
The default properties of this rule are:
- Event Properties: Subtype is Approval request created
- File Properties: Analysis Result: Palo Alto Networks WildFire isClean
- Process Properties: None
- Action: Change local file state
- Change local state: Approve
- Resolve Related Approval Request: Unchecked
The rule can be modified to take action based on analysis results from multiple connected devices or services; it will be Pending until all of analysis requests have completed.
Sample Rule: Analyze downloaded files
This rule submits certain files downloaded to an Carbon Black App Control-managed computer from a web browser to Palo Alto Networks WildFire for analysis. It excludes files with properties that suggest they must be trusted or that have already been reported by or do not meet the requirements for WildFire analysis. Also, it excludes partially downloaded files.
The default properties of this rule are:
- Event Properties:
- Subtype is New file on network
- Process ends with iexplore.exe or firefox.exe or chrome.exe.
- File Name doesn’t contain .crdownload or .part
- File Properties:
- File Size smaller than 10240000
- File State is not Approved
- File Type is Application
- Analysis Result: Palo Alto Networks WildFire is Unknown
- Process Properties: None
- Action: Analyze file
- Priority: Medium
- (Analysis Service Choice): Unchecked
Sample Rule: Report malicious files
This rule applies a global Report Only ban to all malicious files reported or detected by Carbon Black File Reputation or any of the appliances or services integrated with Carbon Black App Control through the Connector.
The default properties of this rule are:
- Event Properties: Subtype is Malicious file detected.
- File Properties: None
- Process Properties: None
- Action: Change global file state
- Change Global State: Ban (Report only)
- Resolve Related Approval Request: Unchecked
- Create for: All policies
Because this is a Report only rule, it is not necessary to test this in Simulate only mode first.
