An Expert rule can take actions when an operation matching the rule is attempted.

For information on all the actions an Expert rule can take, see Table: Action Settings in Expert Rules. Unlike operations, most (but not all) actions are common to all three rule pages. The Where Available column in the table shows whether the action is limited to one page.

As with non-expert rules, Expert rules are often most effective in pairs. For example, one rule might tag certain types of files and another one might take a specified action, such as allowing execution when files with that tag appear later. For more information on this feature, see Tags and Tagging Actions in Expert Rules.

With Expert rules, you can also combine actions that might otherwise require two rules. For example, you can configure rule to "promote" a process so that files it writes are locally approved, and in the same rule, demote children of the process so that files they write are not locally approved. When you review the table, look for actions that form this kind of pairing.

The table includes brief descriptions of what these actions do. Many of the actions are described in more detail in the "Custom Rules," "Memory Rules," and "Registry Rules" sections in the User Guide, which is available as online help in the App Control console or online at the Carbon Black App Control Documentation site.