You can use the Carbon Black App Control console to edit existing Event rules.
You can edit existing Event rules by modifying the fields described in Event Rule Fields. However, you cannot change the Action setting for a rule once it is created. Different actions might require different Carbon Black App Control console user account permission. Also, rule history might not make sense if the rule recorded a mix of different actions. If you need to change the Action, create a new rule. You can use the Copy Settings from field to copy most of an existing rule’s definitions and then change the action before saving.
Menus in the Edit Event Rule Page
The Edit Event Rule page has two menus on the right side of the page. The Related Views menu has one or more commands, which vary depending upon the Action chosen for the rule.
You can view the following commands in the Related Views menu:
- All file rules created by this rule – Displays the Software Rules: Files Approvals and Bans page filtered to show file rules created by this event rule (does not include local file approvals, which are not tracked on this page).
- All file uploads created by this rule – Displays the Requested Files: Uploaded Files page filtered to show uploads initiated by this rule.
- All file analysis submissions created by this rule – Displays the Requested Files: Analyzed Files page filtered to show analysis submissions to analysis services configured through the App Control Connector.
- Related events – Displays the Events page, filtered by this rule name.
The Action menu includes one or more of the following commands:
- Cancel all file analysis submissions created by this rule – For file analysis rules, cancels all unprocessed file submissions made to analysis services configured through the App Control Connector. This has no effect if a file submitted because of this rule has already been sent to the analysis service.
- Cancel all file uploads created by this rule – For file upload rules, cancels all unprocessed file uploads initiated by the rule. This has no effect if a file has already been uploaded.
- Create Alert – This opens the Add Alert page and partially configures the alert with information from the event rule. If completed and saved, the alert reports each time this event rule is triggered.
The Advanced menu includes one or more of the following commands:
- Re-apply rule – This allows you to choose a starting point in the past and re-apply this rule to all events that occurred between that point and the current time. This is useful for testing new or edited rules in Simulate only mode before switching to Enabled mode. It also can be used to re-apply rules to older events after switching to enabled mode.
- Clear processed events – This clears Simulated, Executed, and Skipped events in the Processed Events panel. Pending events are not cleared.