You can customize the notifier text a user sees when an Carbon Black App Control rule blocks an action.
For example, you might want to add a description of the Promote option to the notifiers for your existing policies, unless you prefer not to highlight this option. The Carbon Black App Control Notifier supports conditional, meta, and reporting tags that you can use to tailor the information reported to the end user.
Avoid using special characters in notifier text. In particular, the pipe character (|) is known to cause problems.
Using Tags in Notifier Text
Notifier text and links can include tags that provide information specific to the event that caused the notification, such as the name of the computer the event occurred on and the policy in force at the time.
The following table shows the informational tags you can add to a notifier message. You might see other tags that are for Carbon Black Support purposes only.
Tag |
Description |
Example Values |
---|---|---|
<ComputerName> |
The local name of the computer on which the block event occurred. |
“RJONES-LAPTOP” |
<DebugInfo> |
Technical information about the rule and policy that generated the event. This is a metatag (that is, it contains information represented by other tags). |
|
<DomainName> |
The NetBIOS domain name of the computer on which the block event occurred. |
“MYCORP” |
<EnforcementLevel> |
The Enforcement Level of the agent at the time the block occurred. |
“High (Block Unapproved)”, “Medium (Prompt Unapproved)”, “Low (Monitor Unapproved)” |
<Operation> |
The type of operation that was blocked. |
“Execute”, “Write”, “Read”, etc. |
<OsVersion> |
The version, build and release of Windows on the agent computer. |
“Microsoft Windows 7 x64 (build 7600)” |
<Bit9AgentVersion> |
The version of the agent running on the system on which the operation was blocked. |
“8.0.0.256 (Patch 0)” |
<Policy> |
The policy the agent computer is in. |
"Research Team”, “Sales Group”, “Guests”, etc. |
<ProcessName> |
The name (without the path) of the process that was blocked. |
“explorer.exe” |
<ProcessPath> |
The path (without the name) of the process that was blocked. |
“c:\windows\system32\”
|
<ProcessPathName> |
The full path, including name, of the process that was blocked. |
“c:\windows\system32\explorer.exe”
|
<ProcessPublisher> |
The publisher name for the source process, if signed. |
“Carbon Black, Inc.”, “Google Inc.”,”Microsoft Corporation”, etc. |
<ProcessSha256> |
The SHA256 hash (hexadecimal) of the source process. |
|
<RuleType> |
The type of rule that was triggered. |
“File and Path”, “Registry”, “Memory”, “Process”, etc. |
<TargetName> |
The name (without the path) of the target file, registry key or process name to which access was attempted. |
“foo.bat”
|
<TargetPath> |
The path of the target file, key or process (without the name). |
“c:\test\”
|
<TargetPathName> |
The full path and name of the target. |
“c:\test\foo.bat” |
<TargetPublisher> |
The publisher name for the target file, if signed. |
“Carbon Black, Inc.”, “Google Inc.”,”Microsoft Corporation”, etc. |
<TargetDevice> |
The drive letter of the device on which an action was blocked. Unmapped devices are shown as \\device\<name>. |
|
<TargetShare> |
The network path (without the filename) to the remote drive on which access to a file was blocked. |
“\\SERVER3\temp\mydir” |
<TargetSha256> |
The SHA256 hash (hexadecimal) of the target file. |
|
<TargetSha1> |
The SHA1 hash (hexadecimal) of the target file. |
|
<TargetMD5> |
The MD5 hash (hexadecimal) of the target file |
|
<UserName> |
The name of the user in whose context the blocked operation was initiated. |
“\MYCORP\rjones” |
Conditional Messages for Block vs. Prompt
By using conditional tags within the same notifier text, you can show the user one message for block-only notifiers, when an action is simply blocked by a Carbon Black App Control rule, and a different message for prompt notifiers, when a user is prompted to block or allow an action.
For example, you can create a single string of notifier text that displays a block
message when a user in High Enforcement attempts to execute an unapproved file, but displays an ask
message when a user in Medium Enforcement attempts to execute the same file. Similar prompt messages can be used for Custom, Registry or Memory rules in which the user is offered the option of blocking or allowing an action. The following table shows the tags for different block conditions (“message” represents the variable text you use in the message).
|
|
---|---|
<BlockText:message> | Text to display if the rule blocks an action and the user has no choice to allow it. |
<AskText:message> | Text to display if the rule prompts the user for a decision on whether to block or proceed with an action. This is the most generic “prompt” case. |
<AskAllowText:message> | Text to display if the rule prompts the user for a decision on whether to block or allow file execution. |
<AskRestrictText:message> | Text to display if the rule prompts the user for a decision on whether to allow or restrict memory access. |
<AskApproveText:message> | Text to display if the rule prompts the user for a decision on whether to block writing of a file or to approve the file and allow it to be written. |
Example
When an unapproved file is blocked, the notifier text might include the following:
An unapproved file attempted to run on this computer<BlockText: and has been blocked. If you require access to this file, please contact your system administrator.><AskText:. Choose Allow to continue to let this file run, or choose Block to prevent it from running at this time.>
- When a computer with an agent in a High Enforcement policy with this notifier text attempts to execute an unapproved file, the notifier message uses the
BlockText
:An unapproved file attempted to run on this computer and has been blocked. If you require access to this file, please contact your system administrator.
- However, when a computer with an agent in a Medium Enforcement policy with this same notifier text attempts to open an unapproved file, the notifier message uses the
AskText
:An unapproved file attempted to run on this computer. Choose Allow to continue to let this file run, or choose Block to prevent it from running at this time.
<BlockText:Carbon Black App
Control blocked an attempt by <ProcessName> to run <TargetName> because the file is not approved. If you require access to this file, please contact your system administrator.><AskText:App Control identified and paused an attempt by <ProcessName> to run <TargetName> because the file is not approved. Choose Allow to let this file run, or choose Block to stop it from running at this time.>
Notice that there are other tags nested inside both the BlockText
and AskText
conditional tags. The conditional block/ask tags are the only notifier text tags inside which you can nest other tags. In the notifier link, you can nest tags inside the FriendlyText
tag.
When you upgrade Carbon Black App Control Server from a previous release, your existing notifier messages are preserved, including those for Default and Template policies. Older notifiers might not include conditional text to provide different messages for “block” conditions and “ask” conditions and other special tags.
Informational Tags as Conditional Operators
In addition to the special block
-and-ask
conditional operators, notifier messages can include other conditional text based on any of the informational tags, except for the metatags, such as <DebugInfo>
.
For details on informational tags, see Informational Notifier Tags.
<tagname Text:pattern-to-match:message-text>
You must append the word Text
directly to the end of the tag name: the tag does not work without this addition.
<Bit9AgentVersionText:8.0.0.*:This will display only on 8.0.0 agents>
The asterisk wildcard character in 8.0.0.*
is used so that any build number of Carbon Black App Control Agent 8.0.0 matches the condition. The asterisk matches zero or more of any character; the question mark matches any one character (but not zero characters).
You could set up notifier text to appear if the hash for a target file matches a particular SHA-256 hash, using the <TargetSha256> tag. You can nest this conditional text within a generic “file blocked” notifier, as shown in the following example:
App Control blocked an attempt by <ProcessName> to run <TargetName> because the file is banned.
<TargetSha256Text:c1c4eacd1fe39c93df477f335644902b3b83cc437bfe4b641960f874af1e0708:This version of MyFavoriteApp has a major security flaw.> If you require a solution to this block, please contact your system administrator. Scroll down for diagnostic data. <DebugInfo>