Carbon Black App Control uses special tags in some of the Custom rules provided in this release. Do not use these tags unless advised otherwise by Carbon Black support or services.
-
<YaraTags: tagname > – Yara tags come from Yara rule content. When used to match the process that initiated an operation or the target process, they refer to the file that the process's image was loaded from. Yara tag values persist as part of the tracked file state, including across reboots (unlike user-created tags).
- Bit9: tagname – The
Bit9:
prefix is used on tags built-in to Carbon Black App Control for various purposes. Although usable in other rules, they are intended only for rules provided by Carbon Black, and their behavior could change in later releases without notice. - <LegacyClassification: tagname > – This prefix is used for internal, Carbon Black rules to identify older, hexadecimal tags. It should not be used in other rules.