Creating and Modifying a Custom Rule

To create a custom rule from scratch, you would need to provide the information shown in bold in the left column:


General Description	Field on Add/Edit Custom Rule Page
If this/these source process(es)...	Process
...and/or this/these user(s)...	User or Group
... attempts to perform this/these operation(s)...	Operation (Execute, Write or Both)*
... on this/these file(s)...	Path or File
... on computers in this/these policy(ies)...	Rule applies to/Policies
... on computers reporting to this/these App Control server(s)...	Rule applies to/Servers (if Unified Management is enabled)
... on computers running on this platform...	Platform
... then this/these action (s) should be taken.	Execute Action and/or Write Action*

* Additional operations and actions are available in Expert Rules.

One rule can match one or more processes, users, paths, files, policies and servers. It is always specific to a single platform, however. Also, instead of the descriptions above, you can make the rule function when any process, except the ones you specify, attempts the action, or an action is attempted on any file except the ones you specify.

Create a Custom Rule

The following procedure describes the process of creating a custom rule on one Carbon Black App Control Server.

On the Add Custom Rule page, your choice of Rule Type modifies the displayed fields:

Some fields are eliminated from the page if they are not relevant (or have only one sensible value) for the rule type you choose.
Some menu choices are eliminated so that only choices relevant to the rule type are available.
Inline Help buttons open text boxes with assistance in choosing values appropriate to the rule type for many configurable fields.

Note: If you are using Unified Management, you can also:

Apply a new rule to multiple servers when you create it.
Copy one or more existing rules from the management server to one or more client servers.

For more details, see Unified Management of Rules.

Prerequisites

Get familiar with the different rule types as well as all of the other custom rule fields. For fields description, see Custom Rule Fields.
If you want to use the Expert rule type, see Expert Rules.
Make sure you are familiar with rule ranking. For information, see Rule Ranking and Internal Rules.

Procedure

On the console menu, navigate to the Rules > Software Rules page.
Click the Custom tab and select the Add Custom Rule button.
The Add Custom Rule page appears.
In the Rule Name field, enter the name with which you want to identify this rule.
Optional. In the Description text box, add other comments about the rule, such as its purpose or its relationship to other rules.
If want the rule to take effect immediately, click Enabled in the Status field.
By default, a new custom rule is Disabled as soon as you define it and click Save.
From the Platform drop-down menu, select the platform you want this rule applied to (Windows, Mac, or Linux).
Each rule applies to one platform only.
From the Rule Type drop-down menu, select the type of the rule.
File Integrity Control is the default choice. Specific rule types are partially configured for you. If none of the specific types appears to fit your needs, select Advanced to see a greater number of configuration options.
Note: You can select Expert as the rule type. Expert rules require much more detailed configuration and have a slightly different user interface than other rules. They are intended for use under special circumstances as directed by Carbon Black Support or Services representatives.
Populate the remaining fields for this custom rule and click Save if you need to remain on the page, or Save & Exit to return to the Custom Rules table.
By default, the new Custom rule is Disabled and ranked #1, listed at the top of the Registry rules table.
Note: If Servers and Override Permissions fields appear on the page, you are on a Unified Management server, and have the option of applying this rule to multiple Carbon Black App Control Servers.
Before you enable a rule, change its rank unless you want it to take precedence over (and perhaps preempt) all other rules.
You can change rank in either way:
- Use the arrows in the Rank column.
- Drag-and-drop (if the table is sorted by rank).
- Click on the rank number and enter a new rank in the dialog box.
When you are satisfied with the rank and want to enable the rule, click the toggle switch in the Status column of the Registry rules table..
The button in the switch moves to the right and the background turns from white to green.

Create a Custom Rule from New unapproved file to computer Event

In specific instances, you can create new Custom rules directly from the Events page. For the event, "New unapproved file to computer," a toggle displays that allows you to create a new custom rule that will pre-populate with the data from that event.

Procedure

Navigate to the Events page.
Locate the New unapproved file to computer event and click the Add icon in the Selection column.
The Add Custom Rule page opens with the rule definition pre-populated based on the respective event.
Add a rule name and description.
Make additional changes if needed.
Click Save & Exit.

Results

The new Custom rule displays on the Custom tab, part of the Rules > Software Rules page.

Edit a Custom Rule

Editing a Custom Rule is very similar to creating one. If you have permission to edit the rule, you can edit any field, including the rule name.

Note: If you are using Unified Management and you edit a unified rule shared with other servers, a “wizard” shows the progress as the edited rule is saved on each server. For more details, see Unified Management of Rules.

Prerequisites

For a description of the Custom rule fields that you might choose to edit, see Custom Rule Fields.

Procedure

On the console menu, navigate to the Rules > Software Rules page.
Select the Custom tab, locate the rule you want to edit, and click View Details.
On the Edit Custom Rule page for that rule, make your changes.
Click either Save (to remain on the Edit Custom Rule page) or Save and Exit (to return to the Custom rules table page).

What to do next

If an error occurs, review the error message and correct the conditions that caused the error before saving again.

Copy a Custom Rule

There is a Copy this rule command on the right menu on the Edit Rules page for Custom, Registry, and Memory rules. This is for making copies of the rule on the same server. You might copy a custom rule so that you can customize a sample rule while preserving the original settings as a template. It also allows you to make slightly different rules for different policies without having to manually provide all of the settings for each one.

Procedure

On the Custom rules table page, click View Details to open the details page for the rule you want to copy.
Click Copy this rule... in the Actions menu on the right side of the details page.
This action opens a dialog box. By default, the copy is named using the original rule name plus (copy).
In the dialog box, change the rule name if you want something more descriptive that what is there.
Optional. If you want the new rule enabled immediately, select the Enable copied rule check box.
Click OK.
The copied rule is created and its details page replaces the details page for the original rule.
Make any changes you would like to make in the new (copied) rule and Save or Save & Exit.