Tracking Custom Rule Usage
book
Article ID: 288362
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
To determine if a Custom Rule is actively being used.
Environment
- App Control Agent: All Supported Versions
- App Control Console: All Supported Versions
Resolution
For File Creation Control Rules
- Log in to the Console and navigate to Rules > Software Rules > relevant Rule.
- Verify the "Send Approval Event" box is checked.
- Rule hits will now be shown in Reports > Events with:
- Subtype: File Approved (Custom Rule)
- Rule Name: <Relevant Rule>
For Execution Allow and Trusted Path Rules
- Log in to the Console and navigate to Rules > Software Rules > Custom.
- Locate the relevant Custom Rule, click View Details (pencil icon).
- From the Custom Rule Details page > right hand side > Actions > Copy this rule...
- Specify a new Rule Name, Example: Report Executions of Accounting Software
- Uncheck Enable copied rule and click OK
- After the copied Rule loads:
- Change the Execute Action: Report
- Verify all other details are accurate
- Change the Status: Enabled
- Verify the Custom Rule for Reporting is ranked higher than the Custom Rule for Execution (Allow)
- Rule hits will now be shown in Reports > Events with:
- Subtype: Report Execution (Custom Rule)
- Rule Name: <Relevant Rule>
- Optional: Trigger only on Unapproved Files
- Enable the Advanced Section for Custom Rules
- Edit the saved Report Custom Rule and change the File State to Unapproved.
Feedback
thumb_up
Yes
thumb_down
No