You can create an Expert rule and apply it to operations with a specific tag.
Procedure
- Navigate to the table page for the type of rule you want to create (Custom, Memory or Registry).
- Click Add Rule and provide a name for the rule.
- If the rule name does not contain the tags you intend to use, include them into the Description field.
Although you cannot add a column on the rules table pages, you can display the description. It helps in pairing the rule that creates a particular tag with a rule that uses that tag to identify matching operations.
- Select Expert as the rule type (for Custom rules) or click On in the Expert Mode radio button field (for Memory and Registry rules).
- In the Operations list, select the operations that must trigger the rule.
- In the Actions list, select the action to perform when an operation matches the rule.
Note: You do not need to use one of the actions from the
Tagging Actions column, unless you are using one tag to create another one.
- Enter the names of the tags you want to match in the appropriate fields.
| Option |
Description |
| Process Tag(s): |
Enter tags here if you want to apply this rule when the process that initiates an operation has a matching tag. |
| Target Tag(s): |
Enter tags here if you want to apply this rule when the process, file, or registry key that is the target of an operation has a matching tag. |
| Global Tag(s): |
Enter tags here if you want to apply this rule when the 'global system' on which the operation is being performed has a matching tag. This is equivalent to the computer on which the operation is performed. |
| Global Tag Exceptions(s): |
Enter tags here if you want to exclude 'global systems' with any of the matching tags from being subject to this rule. |
- Enter any additional conditions for matching this rule, such as paths or files, the processes, and any restrictions by user or policy.
- Click Save & Exit after specifying the rule.
