Use an Event Rule to Automatically Restore Devices to Normal Enforcement
search cancel

Use an Event Rule to Automatically Restore Devices to Normal Enforcement


Article ID: 286768


Updated On:


Carbon Black App Control (formerly Cb Protection)


Steps to create an Event Rule to automatically restore an endpoint to normal Enforcement Level after remaining in Local Approval longer than desired.


  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions


Part 1 of 2 - Configuring the Alert

  1. Log in to the Console and navigate to Tools > Alerts > edit "Local Approval Alert".
  2. Set the General > Status: Enabled
  3. Set the Criteria > Time Period accordingly. (Default is 1 hour)
  4. Set the Auto Reset to use the following:
    • Status: Enabled
    • Reset After: 1 Minute
  5. Click Save & Exit


Warning: Email notifications for this Alert are not recommended if regularly moving bulk numbers of Agents.
  • The Alert will generate for all machines matching the criteria.
  • The Event Rule can only move one machine at a time.
  • If multiple machines are moved at the same time this may cause duplicate Emails to be delivered.

Part 2 of 2 - Creating the Event Rule

  1. Navigate to Rules > Event Rules > Create Rule.
  2. Use the following details:
    • Rule Name: Restore Normal Enforcement (or something memorable)
    • Status: Enabled
    • Event Properties: Policy > is: Local Approval Policy
    • Event Properties: Subtype > is: Alert triggered
    • Action: Move Computer
    • Target: Restore to Normal Enforcement Level
  3. Click Save & Exit


Additional Information

  • Each Event Rule is designed to work with one Trigger at a time.
  • If multiple endpoints are moved from Normal to Local Approval at the same time, only one endpoint will count as the Trigger.
  • Only the Triggered endpoint will be moved back to Normal Enforcement