Steps to audit the number of times or number of computers that are triggering Custom Rules.

• App Control Console: All Supported Versions
• Microsoft SQL Server: All Supported Versions

SQL Query:

1. Launch SQL Server Management Studio as the Carbon Black Service Account and connect to the App Control database.
2. Click New Query > Query > Results To > Results to Grid and execute the following query:
   

   USE das;
   SELECT
          E.Rule_Name AS 'Rule Name',
          count( E.Event_Id ) as 'Times Triggered',
          count( distinct E.Computer_Id ) as 'Total Computers Triggered'
   FROM
          bit9_public.ExEvents E
   WHERE
          E.Rule_Name is not null and
          E.Updater_Name is null and
          E.Indicator_Name is null
   GROUP BY
          E.Rule_Name
   ORDER BY 2 DESC;

3. Right click the results and choose Save Results As... to export the results to a CSV file.

App Control Console:

1. Log in to the Console and navigate to https://ServerAddress/support.php > Reports
2. Choose the Report Chattiest Rules and select the relevant Time Range.
3. Click Show Report.

• These methods will ONLY work for Custom Rules that send Events to the Console.
• Custom Rules can be constructed to not send Events, and by design the following Rule Types do not send Events:
  • Execution Control > Allow
  • Trusted Path Rules (these fall under execution allow rules)
  • Performance Optimization Rules
• The SQL Query executes against the Public Views for the das database, which should not result in any locks against the live database.