App Control: Event Rule is Not Restoring All Endpoints to Normal Enforcement
Article ID: 286788
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
- Alert Triggered for 'Local Approval Alert'
- Event Rule only restores 1 Agent, despite multiple devices having been selected to move to Local Approval.
Environment
- App Control Console: All Supported Versions
- App Control Agent: All Supported Versions
Cause
- Event Rules are designed to work with one trigger at a time
- If multiple endpoints are moved from Normal Enforcement to Local Approval at the same time (bulk Policy move), only one endpoint will count as the trigger.
- Only the triggered endpoint will be moved back to Normal Enforcement.
Resolution
There are 2 options available as a workaround:
- Enable the 'Auto Reset' portion of the Local Approval Alert and set it to 1 minute, so that any devices that were put into Local Approval at the same time (Bulk change) would return to their normal enforcement, once the Alert had been reset. (i.e. Devices will return to their normal level of enforcement 1 minute apart - if 3 devices were moved at the same time, they will all return to normal enforcement by 3 minutes after the original Criteria set - Example below
- Move 3 devices to Local Approval Policy at 10:00am
- Criteria set in the alert for a Time period of 1 Hour
- At 11:00am the Alert is triggered and the Event Rule follows suit, returning the first device to trigger the alert
- At 11:01am the Alert is reset and the Event Rule triggers once more, restoring the 2nd device to normal enforcement
- At 11:02am the Alert is reset and the Event Rule triggers once more, restoring the 3rd device to normal enforcement
- Move each endpoint individually, and this way the agent will trigger an Alert per endpoint (The timestamp of the move to Local Approval would need to be different to each previous device set in this way. eg: Device #1 @ 10:00am, Device #2 @ 10:01am
Feedback
Yes
No
Powered by
