To create a custom rule from scratch, you would need to provide the information shown in bold in the left column:
General Description |
Field on Add/Edit Custom Rule Page |
---|---|
If this/these source process(es)... |
Process |
...and/or this/these user(s)... |
User or Group |
... attempts to perform this/these operation(s)... |
Operation (Execute, Write or Both)* |
... on this/these file(s)... |
Path or File |
... on computers in this/these policy(ies)... |
Rule applies to/Policies |
... on computers reporting to this/these App Control server(s)... |
Rule applies to/Servers (if Unified Management is enabled) |
... on computers running on this platform... |
Platform |
... then this/these action (s) should be taken. |
Execute Action and/or Write Action* |
* Additional operations and actions are available in Expert Rules.
One rule can match one or more processes, users, paths, files, policies and servers. It is always specific to a single platform, however. Also, instead of the descriptions above, you can make the rule function when any process, except the ones you specify, attempts the action, or an action is attempted on any file except the ones you specify.
Create a Custom Rule
The following procedure describes the process of creating a custom rule on one Carbon Black App Control Server.
On the Add Custom Rule page, your choice of Rule Type modifies the displayed fields:
- Some fields are eliminated from the page if they are not relevant (or have only one sensible value) for the rule type you choose.
- Some menu choices are eliminated so that only choices relevant to the rule type are available.
- Inline Help buttons open text boxes with assistance in choosing values appropriate to the rule type for many configurable fields.
- Apply a new rule to multiple servers when you create it.
- Copy one or more existing rules from the management server to one or more client servers.
For more details, see Unified Management of Rules.
Prerequisites
- Get familiar with the different rule types as well as all of the other custom rule fields. For fields description, see Custom Rule Fields.
- If you want to use the Expert rule type, see Expert Rules.
- Make sure you are familiar with rule ranking. For information, see Rule Ranking and Internal Rules.
Procedure
Create a Custom Rule from New unapproved file to computer Event
In specific instances, you can create new Custom rules directly from the Events page. For the event, "New unapproved file to computer," a toggle displays that allows you to create a new custom rule that will pre-populate with the data from that event.
Procedure
Results
Edit a Custom Rule
Editing a Custom Rule is very similar to creating one. If you have permission to edit the rule, you can edit any field, including the rule name.
Prerequisites
For a description of the Custom rule fields that you might choose to edit, see Custom Rule Fields.
Procedure
- On the console menu, navigate to the page.
- Select the Custom tab, locate the rule you want to edit, and click View Details.
- On the Edit Custom Rule page for that rule, make your changes.
- Click either Save (to remain on the Edit Custom Rule page) or Save and Exit (to return to the Custom rules table page).
What to do next
If an error occurs, review the error message and correct the conditions that caused the error before saving again.
Copy a Custom Rule
There is a Copy this rule command on the right menu on the Edit Rules page for Custom, Registry, and Memory rules. This is for making copies of the rule on the same server. You might copy a custom rule so that you can customize a sample rule while preserving the original settings as a template. It also allows you to make slightly different rules for different policies without having to manually provide all of the settings for each one.