There are Expert rule actions that are mutually exclusive - selecting one deactivates the others.
If you select one of the options in the following list, the others are grayed out on the page:
- Allow, Block, Report, Prompt
- Promote process, Demote process
- Tag Target, Remove Target Tags, Tag Process, Remove Process Tags, Add Global Tags, Remove Global Tags
- Ignore, Dirty, Never Report, Track
| Column Name |
Setting Name |
Description |
Where |
|---|---|---|---|
| Approval Actions |
Approve |
Locally approve the target (file). NOTE: Currently, you cannot disable sending approval events in an Expert Rule. If you do not want an Expert Rule to send approval events, first create it as a non-expert rule, turn off Send Approval Event, save the rule, and then change it to an Expert Rule to finish your configuration. |
Custom Rules |
| Approval Actions |
Approve As installer |
Locally approve the target (file) and mark it as an installer. |
Custom Rules |
| Approval Actions |
Demote process |
Demote the process that performed the operation. |
All |
| Approval Actions |
Demote Target Process |
Demote the target process. |
Custom Rules |
| Approval Actions |
Don’t Promote Children |
Do not promote child processes of the process that performed the operation; used when the process itself is promoted (see below). |
All |
| Approval Actions |
Promote process |
Promote the process that performed the operation, locally approving files written by this process; promote new processes spawned by this process unless “Don't Promote children” was also chosen (see above). |
All |
| Approval Actions |
Promote Target Process |
Promote the target process when this operation happens. Only applicable with the “Create process” operation. |
Custom Rules |
| Approval Actions |
Query Reputation |
Ask server for the global state of the target (file) when this operation happens. This setting is for built-in rules and cannot be activated in new rules or changed in existing rules. |
All |
| Authorization Actions |
Allow |
Allow the corresponding operations to go through. NOTE: You can create an Expert Rule that allows creation of new files but blocks writes to existing files. However, the agent will allow the process that created a new file to make more modifications to the same file for a short time. This is necessary to allow the same process to both create the new file and write the initial content to the file. |
All |
| Authorization Actions |
Block |
Block the corresponding operation. |
All |
| Authorization Actions |
Prompt |
Prompt the user to decide whether to allow or block the operation. A notifier must be selected when this action is chosen. |
All |
| Authorization Actions |
Report |
Report (as an event) that the operation would have been blocked, but do not block it. For example, generate an event for all new files written by Powershell. |
All |
| Authorization Actions |
Suspend Source Process |
Suspend the process that performed this operation. This is typically used for malware research where a researcher might want to inspect the process and see what it did (or was about to do) before it is terminated. |
All |
| Authorization Actions |
Terminate Source Process |
Terminate the process that performed this operation |
All |
| Tagging Actions |
Tag Process |
Tag the process; if chosen, one or more tags must be specified in the “Tags to Add/Remove” field |
All |
| Tagging Actions |
Tag Target |
Tag the target object; if chosen, one or more tags must be specified in the “Tags to Add/Remove” field |
All |
| Tagging Actions |
Remove Process Tags |
Remove tags from the process; if chosen, one or more tags must be specified in the “Tags to Add/Remove” field |
All |
| Tagging Actions |
Remove Target Tags |
Remove tags from the target object; if chosen, one or more tags must be specified in the “Tags to Add/Remove” field |
All |
| Tagging Actions |
Remove Global Tags |
Remove global tags that other rules can test; if chosen, one or more tags must be specified in the “Tags to Add/Remove” field |
All |
| Tagging Actions |
Add Global Tags |
Add global tags that other rules can test; if chosen, one or more tags must be specified in the “Tags to Add/Remove” field |
All |
| File Tracking Actions |
Dirty |
Trigger re-analysis of the file matching the Path or File definition to see whether its hash has changed |
Custom Rules |
| File Tracking Actions |
Ignore |
Do not track modifications |
Custom Rules |
| File Tracking Actions |
Never report |
Keep an agent record of these operations but do not them to the server |
Custom Rules |
| File Tracking Actions |
Track |
Track the file regardless of ignore rules |
Custom Rules |
| Other Actions |
Finish Rule Group |
Skip other user-created rules but continue evaluating all built-in rules. |
All |
| Other Actions |
Report Execution (Deprecated) |
Trigger meter on first execution events; this field is deprecated and appears only in details of an internal rule. It is read-only. |
Custom Rules |
| Other Actions |
Silent |
Perform all assigned rule actions, but don’t generate notifiers or report events. |
All |
| Other Actions |
Stop Rule Processing |
Stop processing other rules after this rule is processed; this may improve performance. Note that Allow also stops processing but allows the action to continue. |
All |
| Other Actions |
Trigger Action |
Trigger agent action where usermode sends an event in response to a kernel operation. For use with internal rules only. |
All |
| Other Actions |
Unenforceable |
Indicate that some other action could not be enforced due to platform limitations. This field appears only when details of an internal rule are displayed. It is read-only. |
All |
