Why Does An Alert For Policy Change Not Show Correct Username?
book
Article ID: 289989
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Why Does An Alert For a Policy Change Not Show Correct Username?
Environment
App Control (Formerly CB Protection) Console: All Supported Versions
Resolution
The Subtype used as part of the criteria for an alert, is an Agent Side Action, not a Console User Action, and as such will not contain the Console Admin Account Username Info
Additional Information
Example Scenario: Customer would like to receive Alert emails when a Console User has moved a machine/agent into a specific policy
Create an Alert Type 'Event Alert', using the default 'Template for Event' Mail Template
Adding 'Event Properties' Filters for Specific Policies to be alerted on when machines/agents are moved into those policies
Use 'Computer Modified' Subtype, as this is a Console administration action, which will have a User account/name linked to the event/alert
Define a 'User', if you wish to be alerted when a specific console admin(s) make these changes, otherwise, it is not required/needed
Once a Machine/Agent has been requested to move to a policy being alerted on, an email notification will be sent to the address(es) specified in the Alert Details
Alert Email Notification received will include Username of the Console Admin Account who requested the Policy move
Failed example (Where Alert Email does not contain Console Admin Account Username)
Using Subtypes of 'Agent Policy Changed' or 'Policy Modified', will result in displaying a username of either 'N/A' or 'System', as these are Agent Side actions, made after the initial request to move policy by a Console Admin Account User