This section describes the fields on the Approval Request Details page.
Other fields may be available as options in the Approval Request table.
Field |
|
---|---|
ID |
A locally unique numeric identifier for the request. |
Date Requested |
The date and time this request was received. |
Computer |
The name of the computer on which the block occurred. |
Platform |
The platform of the computer on which the block occurred. |
Policy |
The Policy in effect for the agent computer at the time of the block. |
Enforcement Level |
The Enforcement Level of the Policy in effect for the agent computer at the time of the block. |
Requestor |
The user that made the request. |
Requestor E-Mail |
The email address (if any) provided by the blocked user. |
Priority |
The priority of the request (as set by the user). The options are High, Medium (the default), and Low. |
Rule Type |
The type of rule that blocked the action. For example, “Unapproved executable” indicates that execution of an unapproved file was blocked on a computer whose policy blocks such executions. |
Reason |
Approval request or justification text entered in the notifier. |
Comments |
Comments by an administrator reviewing the request. Can be modified and updated at any point. |
Resolution
|
How the request was resolved. The menu choices are:
This field can be changed only when the request or justification is open. It is informational only and does not affect rules or file states. |
Status |
The status of the request. The values are:
|
Mail Sent |
If automatic request responses are enabled and one was sent for this request, this field shows the timestamp for that mail. |
The Platform Analysis panel shows information resulting from clicking the Run Analysis button. It provides statistics about the blocked file and the user requesting access.
Link/Button |
|
---|---|
<number >blocks seen by this computer within 1 hour(s). |
Number of blocks on this computer in one hour time period ending at the time analysis was run. Clicking this link displays Events page filtered to show all types of block events associated with this computer |
<number> blocks from this process on this computer. within 1 hour(s). |
Number of blocks by the given process on this computer in one hour time period ending at the time analysis was run. Clicking link displays Events page filtered to show block events associated with the process that attempted to perform the blocked action on this computer. |
<number> files written by <the process that tried to execute this file> on this machine. |
Link to Find Files page filtered to show files written by this process on this computer. PLATFORM NOTE: This field appears only for files on Windows computers. |
<number> files written by <the process that tried to execute this file> on the network. |
Link to Find Files page filtered to show all instances of files written by this process on any computer. PLATFORM NOTE: This field appears only for files on Windows computers. |
File appears on <number> computers with <number> different hashes. |
Search results for the name and path in the request, across all computers managed by your Carbon Black App Control Server. Clicking the link displays the Find Files page filtered to show all instances matching the file name and path. |
<number> approval requests for this file. |
The number of requests for this file, identified by hash. Clicking link displays the Approval Requests table filtered to show all requests for this file hash. |
<number> total approval requests by this user. |
Link to the Approval Requests table filtered to show all approval requests from this user. |
<number> open requests by this user. |
Link to the Approval Requests table filtered to show all open approval requests from this user. |
Last Analysis Completed On <datetime> (Read Only) |
Reports when the last analysis was run for this request, or if it has not yet been run. |
Run/Rerun Analysis (button) |
Runs an analysis that provides the information in this panel. If the analysis has already been run, reruns it to update any of the changed information, such as the number of requests from the user or the number of files written by the process that tried to write the blocked file. |
Field |
|
---|---|
File Name |
Clicking on link displays the File Instance Details page for the blocked file. |
SHA-256 |
Clicking on link displays the File Instance Details page for the blocked file. |
File State |
The global state of this file in the File Catalog. |
Local State |
The local state of the blocked file instance on this computer. |
Publisher |
The publisher name and publisher approval state. Clicking on the publisher name opens the Publisher Details page for the blocked file’s publisher. |
File Prevalence |
The number of computers on which the blocked file appears. |
Trust Rating |
Trust rating (if known) from Carbon Black File Reputation for the blocked file. Ranges from 0 (untrusted) to 10 (highly trusted). |
Threat Level |
Threat level (if known) from Carbon Black File Reputation for the blocked file. Values are 0 (Clean), 1 (Potential Risk) and 2 (Malicious). |
(Security analysis results) |
Assessments of the file (i.e., malicious, potential risk, or clean) from analysis on the blocked file from any connected security devices or services. This may include one or more of the following: CB Trust, CB Threat, Palo Alto Networks WildFire, or a custom connection. |
The Process tab and the Installer tab provide the same information for their subjects.
Field |
|
---|---|
Process |
Full path to process that attempted to write or execute the blocked file. |
Installer |
Full path to the installer for the blocked file. |
SHA-256 |
SHA-256 hash of the process or installer. |
Trust Rating |
Trust rating (if known) from Carbon Black File Reputation for the process attempting to run the blocked file or the installer that installed the file. Ranges from 0 (untrusted) to 10 (highly trusted). |
Threat Level |
Threat level (if known) from Carbon Black File Reputation for the process attempting to run the blocked file or the installer that installed it. Values are 0 (Clean), 1 (Potential Risk) and 2 (Malicious). |
Field |
|
---|---|
Rule Type |
For actions blocked due to Custom, Memory, and Registry Rules, the rule type is composed of one of those three rule types plus the specific type chosen on the rule details page. For example, “Custom: Advanced”. For actions blocked due to file bans or blocking of unapproved files on agents at higher Enforcement Levels, the rule type is a generic description of the type of file blocked, for example, “Unapproved executable”. |
Rule Name |
For actions blocked due to Custom, Memory, and Registry Rules, this field displays the name given to that rule on its rule table and details pages, for example, “Protect MyApp Folder”. The name is also a link to the details page for the rule. For actions blocked due to file bans or blocking of unapproved files on agents at higher Enforcement Levels, this field displays the relevant setting name from the Advanced tab of the Policies page, for example, “Block unapproved executables”. |
(messages) |
If a rule was modified after the Approval Request was received, a message indicates that here. This may indicate that the rule was changed the rule in some way to allow the action indicated in the request to be completed. |