You can create an Expert rule and apply it to operations with a specific tag.

Procedure

  1. Navigate to the table page for the type of rule you want to create (Custom, Memory or Registry).
  2. Click Add Rule and provide a name for the rule.
  3. If the rule name does not contain the tags you intend to use, include them into the Description field.
    Although you cannot add a column on the rules table pages, you can display the description. It helps in pairing the rule that creates a particular tag with a rule that uses that tag to identify matching operations.
  4. Select Expert as the rule type (for Custom rules) or click On in the Expert Mode radio button field (for Memory and Registry rules).
  5. In the Operations list, select the operations that must trigger the rule.
  6. In the Actions list, select the action to perform when an operation matches the rule.
    Note: You do not need to use one of the actions from the Tagging Actions column, unless you are using one tag to create another one.
  7. Enter the names of the tags you want to match in the appropriate fields.
    Option Description
    Process Tag(s): Enter tags here if you want to apply this rule when the process that initiates an operation has a matching tag.
    Target Tag(s): Enter tags here if you want to apply this rule when the process, file, or registry key that is the target of an operation has a matching tag.
    Global Tag(s): Enter tags here if you want to apply this rule when the 'global system' on which the operation is being performed has a matching tag. This is equivalent to the computer on which the operation is performed.
    Global Tag Exceptions(s): Enter tags here if you want to exclude 'global systems' with any of the matching tags from being subject to this rule.
    The Actions list for an Expert rule and the tags fields highlighted.
  8. Enter any additional conditions for matching this rule, such as paths or files, the processes, and any restrictions by user or policy.
  9. Click Save & Exit after specifying the rule.