Events That Can Trigger Rule Actions

Only events that relate to files or computers can be used to trigger an event rule. Each rule is required to have one event subtype specified; for example, the rule might specify that its action is triggered when an event with the subtype New file on network occurs. You may add more subtypes so that the rule takes action under several different event conditions. You also may add other specifications to the rule, such as that the event included a reference to a particular IP address.

You also may add specifications that the rule only runs when the target file identified in the event, or its parent process, has certain properties. For example, you might specify that a new, unapproved file is uploaded to an analysis service only if it does not have approval by reputation enabled.

Actions A Rule Can Take

The following actions can be taken using Event Rules:

• Change global file state – An Event Rule can create a global Approval, Ban, or Report Ban, and can remove a global Approval or Ban for a file referenced in an event. This may be done for all computers or by policy. Rules that change global state may also be configured to resolve related approval requests from endpoint users.
• Change global process state – An Event Rule can create a global Approval, Ban, or Report Ban, and can remove a global Approval or Ban for the file of the process referenced in an event. This may be done for all computers or by policy. Rules that change global state may also be configured to resolve related approval requests from endpoint users.
• Change local file state – An Event Rule can create or remove a Local Approval for a file referenced in an event. Rules that change local state may also be configured to resolve related approval requests from endpoint users.
• Upload file – An Event Rule can initiate upload of a file referenced in an event to the App Control Server.
• Delete File – An Event Rule can delete a file referenced in an event.
• Analyze file – An Event Rule can initiate upload of a file to any analysis service configured through the App Control Connector.
• Move computer – A computer referenced in a file-related event may be moved to a different policy and Enforcement Level.

Users will only see action options for which they have permission. For example, users without permission to submit files for analysis will not see the Analyze file option.

Simulating the Effect of a Rule

An important feature of Event rules is the ability to simulate what would happen if you fully enabled a rule without actually taking the action specified. Event rules can have a significant impact on the App Control Server, and if not configured properly, they may have undesirable and unintended results. Because of this, it is strongly recommended that any new rule be run in Simulate only mode before it is fully enabled – this is one of the options on the Add and Edit Event Rule pages. For a recommended work-flow using Simulate only, see Test a Rule before Enabling It.

Re-Applying a Rule to Past Events

Carbon Black App Control also provides the ability to apply a new rule to past events. This can be useful in combination with Simulate only mode, allowing you to apply the rule to a larger set of past events to see the events that would have been processed by the rule. You can then review these results, and you may choose to fine tune the rule to reduce the conditions under which the rule is triggered. You might also re-apply a new rule to past events when it is fully enabled if, for example, you want to send all new, unapproved files that have appeared in the past week to an external service for analysis.