Create an Event Rule

The Carbon Black App Control console allows you to create an event rule from scratch or by copying the settings of an already existing similar event rule.

Prerequisites

Make sure you are familiar with the settings on the Create Event Rule page. For more information, see Event Rule Fields.
Make sure you are familiar with the Simulate only option. For information on this Status choice, see Test a Rule before Enabling It.
Make sure you are familiar with submitting approval requests and resolving approval requests. For more information, see Approval Requests and Justifications.

Procedure

On the console menu, navigate to the Rules > Event Rules page.
The Event Rules page appears, showing the available rules and their status.
Click the Create Rule button.
The Create Event Rule page opens.
Optional. If there is an existing event rule similar to the one you want to create, select that rule from the Copy Settings From drop-down menu.
Selecting any rule from this menu, prepopulates the page with the fields from the event rule you selected. You must only change the fields that differ from the rule you copied from.
Enter a unique name for the rule in the Rule Name field.
If you copied the settings of an existing rule, the default name is the name of the rule followed by (Copy).
Optional. Populate the Description field with a longer description of the rule.
Select one of the following actions in the Status field.
- Enabled - Actions specified by the rule execute as specified.
- Simulate only - Actions specified by the rule are simulated. Events are generated indicating what the rule does if enabled, but the actions specified are not actually taken.
- Disabled - The rule and its settings are saved but it does not execute or simulate the specified actions.
Important: We recommend you use Simulate only for a new Event rule.
In the Select Event Properties panel, use the Add filter drop-down menu to select one or more event properties.
- At least one Subtype filter must be included.
- Because only file- or computer-related events can be used to trigger an event rule, the selections on this menu are limited accordingly.
- Some file-related properties that appear in events are not included here because they appear on the File Properties menu.
- To use filenames or path names in an Event rule filter, specify them using the Event Properties filter rather than File Properties filter. The Event Property File name matches more of the relevant events than the File Property First seen name.
In the Select File Properties panel, use the Add filter drop-down menu to select one or more file properties to further refine the conditions under which this rule are triggered.
Most of the choices here are the same as the fields in the App Control File Catalog, although there are some additional fields. For detailed information about certain choices in this panel, see File and Process Properties in Event Rule Definitions.

Note: For both Select File Properties and Select Process Properties, if you select the Extension filter, you must use the file extension without the initial dot. For example, bat, not .bat. Otherwise, the rule does not function properly.
In the Select Process Properties panel, use the Add filter drop-down menu to select one or more process properties to further refine the conditions under which this rule is triggered.
Most of the choices are the same as the fields in the App Control File Catalog, although there are some additional fields. For detailed information about certain choices in this panel, see File and Process Properties in Event Rule Definitions.

Note: The process to which this configuration choice applies is the parent process of the file referenced in the event or event rule, not the process that appears in the operating system task manager when a file executes.
In the Select Action panel, use the Action drop-down menu to select the action that is taken when events and files match this rule.
The options that appear on this menu depend upon the permissions of the console user creating or editing the rule. For more details, see User Role Permissions.
Select the Resolve Related Approval Request check box to automatically resolve any approval request for a file if you chose an action that changes the state of the file.
If you do not check the box, any approval request for the related file are left open until you manually close it. This box has no effect if there is not a related approval request.
When you complete the rule definition, click Save to remain on the page or click Create & Exit. to create the rule and leave the Create Event Rule page.

Event Rule Fields

The table below lists the fields available on the Create/Edit Event Rule page.

Table 1. Event Rule Fields
Panel:Field	Description
Copy Settings From:	Existing rule from which this rule copies its initial settings. If you do not want to copy any settings, leave the default value of (none).
Rule Name	Name by which this rule is identified. (Required)
Description	Additional information about the rule. This can be any text you choose to enter. (Optional)
Status	Radio buttons that determine whether and how this rule is activated: Enabled – Actions specified by the rule will be executed as specified. Simulate only – Actions specified by the rule will be simulated. Events will be generated indicating what the rule would have done if enabled, but the actions specified will not actually be taken. This is the default value for newly created rules. Disabled – The rule and its settings will be saved but it will not execute or simulate the actions specified. This is the default value for the sample rules.
Select Event Properties:Add Filter	The properties of the event that triggers this rule: Subtype – At least one event Subtype filter must be included in this filter (For example, New file on network). Additional Subtypes may be added so that, for example, a rule is triggered for either New file on network or New unapproved file to computer events. Other Event properties – Other properties may be added to this filter. Some file-related properties that appear in events are not included here because they appear on the File Properties menu.
Select File Properties:Add Filter	File properties to further refine the conditions for triggering this rule. Most of the choices here are the same as the fields in the App Control File Catalog. See File and Process Properties in Event Rule Definitions for detailed information about certain choices in this panel. File properties are not required in an Event Rule. NOTE :If you specify a file property and that property is unavailable, the rule cannot be executed, and events matching the rule are placed in a Pending state until the property becomes available. For example, if you specify that a rule that requires that the Carbon Black File Reputation reputation for a file has a Trust level of 5 or less, if Carbon Black File Reputation is not configured and there is no trust information for the file, the rule will not be executed, even if all other rule specifications are met. This also applies to file prevalence and metadata.
Select Process Properties:Add Filter	Process properties to further refine the conditions for triggering this rule. Most of the choices here are the same as the fields in the App Control File Catalog. See “ File and Process Properties in Event Rule Definitions for detailed information about certain choices in this panel. Process properties are not required in an Event Rule. If you specify a process property and that property is unavailable, the rule cannot be executed, and events matching the rule are placed in a Pending state until the property becomes available. For example, if you specify that a rule that requires that the Carbon Black File Reputation data for a file shows a Trust level of 5 or less, if Carbon Black File Reputation is not configured and there is no trust information for the file, the rule will not be executed, even if all other rule specifications are met. This also applies to file prevalence and metadata.
Select Action:Action	The following options appear on the Action menu: Change global file state – This automatically changes the global state of matching files. You can approve, ban, or create a report-only ban for matching files. You can also remove approvals or bans. You also can apply the state change to All policies or selected policies. Change global process state – This automatically changes the global file state of matching processes. You can approve, ban or create a report-only ban for matching processes You can also remove approvals or bans. You also can apply the state change to All policies or selected policies. Change local file state – This automatically changes the local state of matching files. You can locally Approve matching files or Remove local approval. Upload file - This initiates an upload to the App Control Server of matching files from the agent-managed computer on which they appear. You can choose the default upload location or a custom location on the server or another accessible computer. For example, you can send all newly found files to a specific folder for manual examination or scanning by a tool on a different computer. Note: This option is available only for console users with one or both Manage uploads of inventoried files permission. See User Role Permissions. Delete file – This initiates a request to delete the files referenced in the event that triggered to Event Rule. Deletion of the files on the endpoint is completed soon after the request is sent, the exact latency depending upon how many files are affected by the request and any other activities scheduled on the server. Important: When a file is deleted from an endpoint in this way, it is permanently deleted. It is not sent to a “recycle bin” or other location that allows it to be restored. See Deleting Files for more information about this feature. Analyze file – This initiates upload of a file to a connected device or service for analysis when the rule conditions are met. You check the box for one or more enabled analysis services integrated with the App Control Server through the App Control Connector. If no services are configured, this option does not appear. Move computer – This moves the computer referenced in the event to a different policy, with the following options: Specify policy – This displays a menu of the policies available on this App Control Server. Restore to normal enforcement level – This returns a computer that is in Local Approval mode to its previous policy. If the computer is not in Local Approval mode, this has no effect. Local approval – This moves a computer into Local Approval mode. See Moving Computers to Local Approval Mode for details. Automatic policy – This moves a computer into the policy to which Active Directory mapping assigns it. If AD Mapping is not enabled, this setting has no effect.
Resolve Related Approval Request	When the Action choice for the rule is Change Global file state or Change local file state, this checkbox is displayed. If the box is checked, any approval request related to the file referenced in this file has its status changed to Resolved.
Priority	When the Action choice for a rule is Upload file or Analyze file, you can set the priority for the upload or analysis to Low, Medium, or High, which determines the order in which the action is taken relative to other upload or analyze requests. Priority can be changed on the Requested Files page once a request is in progress.