This is the top-level, general classification for an event.

This is the top-level, general classification for an event. Each event also has a subtype, which specifically classifies the kind of event it is. App Control Event Types shows the public event types.

Table 1. App Control Event Types
Event Type Description
Computer Management

Events related to changes to Computer assets managed by the App Control Server or specific to an App Control Agent. For example:

  • Console management operations like “Computer deleted” and “Computer modified”
  • Computer/Agent specific diagnostic actions like “Cache check complete” and “Agent synchronization finished”
  • Template and clone computer management operations
  • Agent status operations like “Agent restart” and “Agent upgraded”
  • “Carbon Black EDR sensor status”
Discovery

Events related to the discovery or existence of new assets or new actions. For example:

  • Device-related events like “New device found” and “Device attached”
  • File-related events like “First execution on network” and “New unapproved file to computer”
  • Events directly related to the metadata retrieved from the Carbon Black File Reputation, Carbon Black’s database of file information. For example, “Malicious file detected” and “Potential risk file detected”
  • Events related to notification of malicious or potentially risky files from external sources.
General Management Events related to the management of non-user, non-computer and non-policy assets. This includes events related to Meters, Alerts, Baseline Drift reports, Snapshots, and Event Rules. For example, “Alert triggered”, “Baseline Drift Report generated”
Policy Enforcement

Events related to the enforcement of any policy or rule on the App Control Agent. For example:

  • File events like “File approved (Updater)”, “Execution block (banned file)”, and “Report write (Custom Rule)”
  • Device Rule events like “Read block (removable media)” and “Report execution (removable media)”
  • Registry Rule events like “Write block (Registry Rule)” and “Report write (Registry Rule)”
  • Memory Rule events like “Access prompt (Memory Rule)” and “Access block (Memory Rule)”
Note: This does not include the creation or management of policies. Those events are included under the Policy Management type.
Policy Management

Events related to the management (creation, modification, deletion) of any policy or rule. For example:

  • Policy events like “Policy created” and “Policy deleted”
  • Software rule events like “Publisher approval created”, “File ban created”, “Trusted User added” and “Custom Rule created”
  • Device Rule events like “Device approval removed”
  • Registry Rule events like “Registry Rule created”
  • Memory Rule events like “Memory Rule modified”
Server Management

Events related to the configuration and administration of the App Control Server and database. For example:

  • “Server shutdown”, “License added”, “Server backup stopped”, “Database error” and “Carbon Black File Reputation connection lost”
Session Management

Events related to the login activity and management of App Control Console users. For example:

  • Management events like “Console user created”
  • Login activity like “Console user login” and “Console user logout”
Note: App Control Console is the web-based user interface to the App Control Server through which all standard App Control administration takes place.