Tracking Custom Rule Usage
search cancel

Tracking Custom Rule Usage

book

Article ID: 288362

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

To determine if a Custom Rule is actively being used.

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions

Resolution

For File Creation Control Rules

  1. Log in to the Console and navigate to Rules > Software Rules > relevant Rule.
  2. Verify the "Send Approval Event" box is checked.
  3. Rule hits will now be shown in Reports > Events with:
    • Subtype: File Approved (Custom Rule)
    • Rule Name: <Relevant Rule>

For Execution Allow and Trusted Path Rules

  1. Log in to the Console and navigate to Rules > Software Rules > Custom.
  2. Locate the relevant Custom Rule, click View Details (pencil icon).
  3. From the Custom Rule Details page > right hand side > Actions > Copy this rule...
    1. Specify a new Rule Name, Example: Report Executions of Accounting Software
    2. Uncheck Enable copied rule and click OK
  4. After the copied Rule loads:
    1. Change the Execute Action: Report
    2. Verify all other details are accurate
    3. Change the Status: Enabled
  5. Verify the Custom Rule for Reporting is ranked higher than the Custom Rule for Execution (Allow)
  6. Rule hits will now be shown in Reports > Events with:
    • Subtype: Report Execution (Custom Rule)
    • Rule Name: <Relevant Rule>
  7. Optional: Trigger only on Unapproved Files
    1. Enable the Advanced Section for Custom Rules
    2. Edit the saved Report Custom Rule and change the File State to Unapproved.

Additional Information