Tags are labels that can be applied to different objects tracked in Carbon Black App Control for as long as those objects exist. An object in this case can be a running process, a registry key, a file, an image, or the entire global system that those processes run on. The global system is the computer the process is running on.
Each operation has an initiator process, the process that initiated it. Each operation also has a target object that the operation is being carried out on. Target objects vary depending on the type of operation. For example:
- For the file write operation, the target object is a file.
- For a process start operation, the target will be another process.
- For a registry value creation operation, the target is a registry value. The behavior and lifespan of the tag depends on the type of object being tagged.
On the Add or Edit Rule page, the Tagging Actions column provides options for adding and removing tags when the other conditions of the rule are met. There are separate add and remove options for initiator processes, target processes, and the global system.
Tags are primarily useful when several rules related to the same tag(s) are created. Once a rule applies tags to an object, other rules can use these tags as a factor in determining whether a process matches the rule conditions, taking an action when a match is found. In other words, to use tags:
- Create a rule that applies a tag to an object.
- Create a separate rule that uses the presence of that tag as a condition for matching the rule; if it is testing the same operation as the tagging rule, rank this rule lower.