Certain choices in the Select File Properties and Select Process Properties panels of the Add/Edit Event Rule page have special behaviors affecting how they are evaluated.
Certain choices in the Select File Properties and Select Process Properties panels of the Add/Edit Event Rule page have special behaviors affecting how they are evaluated. A common issue is what happens when an event occurs that is missing data specified in an Event rule filter. Evaluation of that event is put into a Pending state until the data becomes available. The following sections describe this and other conditions affecting rule evaluation.
Carbon Black File Reputation Trust and Threat Data
If you choose one of the Carbon Black File Reputation-provided fields, Trust or Threat, in the File or Process Properties for a rule, only events that have a value for these fields can trigger the rule. Events whose files do not have a Trust or Threat value can go into Pending state (visible in the Processed Events list for the rule) until Carbon Black File Reputation data is available. Once data becomes available, the event is evaluated against the rule.
Another behavior to be aware of is the treatment of Trust values that are unknown but not missing. If Carbon Black File Reputation and App Control Server have synchronized file information and there is no trust information for a file, no Trust value is shown in the console. However, the stored Trust value for a file whose trust is unknown is minus one (-1). Therefore, an event rule that specifies that an action is taken for files with less than a certain trust will be triggered for both low trust files and files whose trust is unknown. To limit the rule action to files for which the trust is known to be low (as opposed to unknown), add a second condition that specifies Trust must also be greater than or equal to zero.
File Prevalence
If you choose file Prevalence as a filter field, only events for which prevalence is calculated for a related file can trigger the rule. Events whose files have no prevalence value go into Pending state until a Prevalence value is available.
Also, keep in mind that certain settings will make it impossible to accurately report prevalence, including exclusion of Microsoft Support file tracking and exclusion of tracking in selected policies.
File Metadata
If any file metadata field (such as file type, file size, company, publisher, and product) is used as part of a file or process filter, an incoming event is evaluated only after the specified metadata is reported for that particular file by the agent.
The delay between when an event is reported and when the related file message arrives is normally on the order of seconds. However, if an agent has a large backlog of files to report or goes offline just after sending an event, the delay could be long enough to place event rule evaluation into the Pending state.
File Extension
For both Select File Properties and Select Process Properties, if you choose file Extension as a filter, you must use the file extension without the initial dot.
For example, to specify that a rule is triggered for batch files with the bat extension, you must use bat alone, not .bat. Otherwise, the rule cannot function properly.
Analysis Results Options
The Select File Properties and Select Process Properties filter menus include file analysis options that are not available in the App Control File Catalog. These options can be used to take action based on the results of analysis by external devices. The current options are Analysis Result: Palo Alto Networks Wildfire, – other options may be added after initial release.
File analysis results can be one of the following values:
- Unknown – The file was not yet analyzed by this service.
- Clean – The file was analyzed with this provider and nothing suspicious was found.
- Potential Risk – The file was analyzed with this provider and a potential risk was detected.
- Malicious – The file was analyzed with this provider and is reported as malicious.
- Analysis Pending – The file is still being analyzed with this provider.
- Analysis Error – The file was analyzed but analysis returned an error.
As with the Carbon Black File Reputation and Prevalence filters, rules with analysis filters will go into the Pending state for an event that matches the rule but for which analysis results are not available.
Global Bans for Non-Cataloged Files
You can use an Event rule to create a global ban for a file that has not yet been seen on an App Control Agent reporting to your server.
This can happen if you specified a certain event subtype, such as Malicious file detected, in the Event Properties for the rule, and then an analysis service connected to the App Control Server reported a file that triggered an event matching the rule definition. If no other properties are defined for the rule, it immediately creates a “pre-ban” for the file so that if it does appear on any of the agent computers, it will already be banned.
However, if a File Properties filter is added to the rule definition, the rule goes into the Pending state until the reported file actually appears on an agent-managed computer and can be evaluated against the specified properties. If a Process Properties filter is defined and an event has no process associated with it, the event will be silently skipped, leaving no record in the event view.