This section describes the fields on the Approval Request Details page.

Other fields may be available as options in the Approval Request table.

Table 1. Details for a Request/Justification (top panel)

Field

 

ID

A locally unique numeric identifier for the request.

Date Requested

The date and time this request was received.

Computer

The name of the computer on which the block occurred.

Platform

The platform of the computer on which the block occurred.

Policy

The Policy in effect for the agent computer at the time of the block.

Enforcement Level

The Enforcement Level of the Policy in effect for the agent computer at the time of the block.

Requestor

The user that made the request.

Requestor E-Mail

The email address (if any) provided by the blocked user.

Priority

The priority of the request (as set by the user). The options are High, Medium (the default), and Low.

Rule Type

The type of rule that blocked the action. For example, “Unapproved executable” indicates that execution of an unapproved file was blocked on a computer whose policy blocks such executions.

Reason

Approval request or justification text entered in the notifier.

Comments

Comments by an administrator reviewing the request. Can be modified and updated at any point.

Resolution

 

How the request was resolved. The menu choices are:

  • Not Resolved
  • Rejected
  • Resolved-Approved
  • Resolved-Rule Change
  • Resolved-Installer
  • Resolved-Updater
  • Resolved-Publisher
  • Resolved-Other

This field can be changed only when the request or justification is open. It is informational only and does not affect rules or file states.

Status

The status of the request. The values are:

  • Submitted – A user sent the request; it has not been opened.
  • Open – The request has been opened by an administrator. Both Submitted and Closed requests can be opened. A request must be open for the Resolution field to be changed.
  • Escalated – The request has been escalated by an administrator. This might be done to draw greater attention to a high priority request. Other than the name, this is the same as Open.
  • Closed – The request has been closed, presumably because it has been in resolved in some way. Requests can be closed even if no action has been taken to respond to them.

Mail Sent

If automatic request responses are enabled and one was sent for this request, this field shows the timestamp for that mail.

 

The Platform Analysis panel shows information resulting from clicking the Run Analysis button. It provides statistics about the blocked file and the user requesting access.

Table 2. Platform Analysis of Requests and Justifications

Link/Button

 

<number >blocks seen by this computer within 1 hour(s).

Number of blocks on this computer in one hour time period ending at the time analysis was run. Clicking this link displays Events page filtered to show all types of block events associated with this computer

<number> blocks from this process on this computer. within 1 hour(s).

Number of blocks by the given process on this computer in one hour time period ending at the time analysis was run. Clicking link displays Events page filtered to show block events associated with the process that attempted to perform the blocked action on this computer.

<number> files written by <the process that tried to execute this file> on this machine.

Link to Find Files page filtered to show files written by this process on this computer.

PLATFORM NOTE: This field appears only for files on Windows computers.

<number> files written by <the process that tried to execute this file> on the network.

Link to Find Files page filtered to show all instances of files written by this process on any computer.

PLATFORM NOTE:  This field appears only for files on Windows computers.

File appears on <number> computers with <number> different hashes.

Search results for the name and path in the request, across all computers managed by your Carbon Black App Control Server. Clicking the link displays the Find Files page filtered to show all instances matching the file name and path.

<number> approval requests for this file.

The number of requests for this file, identified by hash. Clicking link displays the Approval Requests table filtered to show all requests for this file hash.

<number> total approval requests by this user.

Link to the Approval Requests table filtered to show all approval requests from this user.

<number> open requests by this user.

Link to the Approval Requests table filtered to show all open approval requests from this user.

Last Analysis Completed On <datetime> (Read Only)

Reports when the last analysis was run for this request, or if it has not yet been run.

Run/Rerun Analysis (button)

Runs an analysis that provides the information in this panel. If the analysis has already been run, reruns it to update any of the changed information, such as the number of requests from the user or the number of files written by the process that tried to write the blocked file.

 

Table 3. File Information in Approval Request/Justification Details

Field

 

File Name

Clicking on link displays the File Instance Details page for the blocked file.

SHA-256

Clicking on link displays the File Instance Details page for the blocked file.

File State

The global state of this file in the File Catalog.

Local State

The local state of the blocked file instance on this computer.

Publisher

The publisher name and publisher approval state. Clicking on the publisher name opens the Publisher Details page for the blocked file’s publisher.

File Prevalence

The number of computers on which the blocked file appears.

Trust Rating

Trust rating (if known) from Carbon Black File Reputation for the blocked file. Ranges from 0 (untrusted) to 10 (highly trusted).

Threat Level

Threat level (if known) from Carbon Black File Reputation for the blocked file. Values are 0 (Clean), 1 (Potential Risk) and 2 (Malicious).

(Security analysis results)

Assessments of the file (i.e., malicious, potential risk, or clean) from analysis on the blocked file from any connected security devices or services. This may include one or more of the following: CB Trust, CB Threat, Palo Alto Networks WildFire, or a custom connection.

The Process tab and the Installer tab provide the same information for their subjects.

 

Table 4. Process and Installer Information in Request/Justification Details

Field

 

Process

Full path to process that attempted to write or execute the blocked file.

Installer

Full path to the installer for the blocked file.

SHA-256

SHA-256 hash of the process or installer.

Trust Rating

Trust rating (if known) from Carbon Black File Reputation for the process attempting to run the blocked file or the installer that installed the file. Ranges from 0 (untrusted) to 10 (highly trusted).

Threat Level

Threat level (if known) from Carbon Black File Reputation for the process attempting to run the blocked file or the installer that installed it. Values are 0 (Clean), 1 (Potential Risk) and 2 (Malicious).

 

Table 5. Rule Information in Approval Request/Justification Details

Field

 

Rule Type

For actions blocked due to Custom, Memory, and Registry Rules, the rule type is composed of one of those three rule types plus the specific type chosen on the rule details page. For example, “Custom: Advanced”.

For actions blocked due to file bans or blocking of unapproved files on agents at higher Enforcement Levels, the rule type is a generic description of the type of file blocked, for example, “Unapproved executable”.

Rule Name

For actions blocked due to Custom, Memory, and Registry Rules, this field displays the name given to that rule on its rule table and details pages, for example, “Protect MyApp Folder”. The name is also a link to the details page for the rule.

For actions blocked due to file bans or blocking of unapproved files on agents at higher Enforcement Levels, this field displays the relevant setting name from the Advanced tab of the Policies page, for example, “Block unapproved executables”.

(messages)

If a rule was modified after the Approval Request was received, a message indicates that here. This may indicate that the rule was changed the rule in some way to allow the action indicated in the request to be completed.