Steps to create a File Creation Control Rule using Events in the Console.
Environment
App Control Agent: All Supported Versions
App Control Console: All Supported Versions
Resolution
Step 1: Determine Matching Process and File Patterns:
Log in to the Console and navigate to Reports > Events.
Use the Filters or Saved Views to locate the matching Events, examples:
Saved View: New Files (Unapproved) <and/or>
Filters: File Path > begins with: <and/or>
Filters: Type > is > Discovery
Verify the Description of the Events:
DiscoveredBy: [Kernel:Execute] or [IntegrityCheck] indicates the Agent did not observe the file being written, and an Execution Control Rule likely will be needed instead.
DiscoveredBy: [Kernel:Write] or [Kernel:Create] or [Kernel:Rename] indicates the Agent observed the Process writing the File.
Use the Columns for Process, File Path, File Name and User to help create the File Creation Control Rule.
Policies: <relevant Policies where software is expected>
Click Save & Exit.
Additional Information
File Creation Control rules instruct the Agent how to handle matching write operations.
If the Discovery Events are only due to Kernel:Execute it's possible a Performance Optimization Rule or some other exclusion is instructing the Agent to ignore the write operations.
By default the Agent does not block write operations.
Unless a specific File Creation Control or File Integrity Control Rule has been created to block a matching write operation, there is no need to create a File Creation Control > Allow rule.