The Carbon Black App Control console allows you to create an event rule from scratch or by copying the settings of an already existing similar event rule.
Prerequisites
- Make sure you are familiar with the settings on the Create Event Rule page. For more information, see Event Rule Fields.
- Make sure you are familiar with the Simulate only option. For information on this Status choice, see Test a Rule before Enabling It.
- Make sure you are familiar with submitting approval requests and resolving approval requests. For more information, see Approval Requests and Justifications.
Procedure
Event Rule Fields
The table below lists the fields available on the Create/Edit Event Rule page.
Panel:Field |
Description |
---|---|
Copy Settings From: |
Existing rule from which this rule copies its initial settings. If you do not want to copy any settings, leave the default value of (none). |
Rule Name |
Name by which this rule is identified. (Required) |
Description |
Additional information about the rule. This can be any text you choose to enter. (Optional) |
Status |
Radio buttons that determine whether and how this rule is activated:
|
Select Event Properties:Add Filter |
The properties of the event that triggers this rule:
|
Select File Properties:Add Filter |
File properties to further refine the conditions for triggering this rule. Most of the choices here are the same as the fields in the App Control File Catalog. See File and Process Properties in Event Rule Definitions for detailed information about certain choices in this panel. File properties are not required in an Event Rule. NOTE :If you specify a file property and that property is unavailable, the rule cannot be executed, and events matching the rule are placed in a Pending state until the property becomes available. For example, if you specify that a rule that requires that the Carbon Black File Reputation reputation for a file has a Trust level of 5 or less, if Carbon Black File Reputation is not configured and there is no trust information for the file, the rule will not be executed, even if all other rule specifications are met. This also applies to file prevalence and metadata. |
Select Process Properties:Add Filter |
Process properties to further refine the conditions for triggering this rule. Most of the choices here are the same as the fields in the App Control File Catalog. See “ File and Process Properties in Event Rule Definitions for detailed information about certain choices in this panel. Process properties are not required in an Event Rule. If you specify a process property and that property is unavailable, the rule cannot be executed, and events matching the rule are placed in a Pending state until the property becomes available. For example, if you specify that a rule that requires that the Carbon Black File Reputation data for a file shows a Trust level of 5 or less, if Carbon Black File Reputation is not configured and there is no trust information for the file, the rule will not be executed, even if all other rule specifications are met. This also applies to file prevalence and metadata. |
Select Action:Action |
The following options appear on the Action menu:
|
Resolve Related Approval Request |
When the Action choice for the rule is Change Global file state or Change local file state, this checkbox is displayed. If the box is checked, any approval request related to the file referenced in this file has its status changed to Resolved. |
Priority |
When the Action choice for a rule is Upload file or Analyze file, you can set the priority for the upload or analysis to Low, Medium, or High, which determines the order in which the action is taken relative to other upload or analyze requests. Priority can be changed on the Requested Files page once a request is in progress. |