App Control: Why Does An Alert For Policy Change Not Show Correct Username?
search cancel

App Control: Why Does An Alert For Policy Change Not Show Correct Username?

book

Article ID: 289989

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

 Why Does An Alert For a Policy Change Not Show Correct Username?

Environment

  • App Control (Formerly CB Protection) Console: All Supported Versions

Resolution

The Subtype used as part of the criteria for an alert, is an Agent Side Action, not a Console User Action, and as such will not contain the Console Admin Account Username Info

Additional Information

Example Scenario: Customer would like to receive Alert emails when a Console User has moved a machine/agent into a specific policy
  • Create an Alert Type 'Event Alert', using the default 'Template for Event' Mail Template
  • Adding 'Event Properties' Filters for Specific Policies to be alerted on when machines/agents are moved into those policies
  • Use 'Computer Modified' Subtype, as this is a Console administration action, which will have a User account/name linked to the event/alert
  • Define a 'User', if you wish to be alerted when a specific console admin(s) make these changes, otherwise, it is not required/needed
  • Once a Machine/Agent has been requested to move to a policy being alerted on, an email notification will be sent to the address(es) specified in the Alert Details
  • Alert Email Notification received will include Username of the Console Admin Account who requested the Policy move

Failed example (Where Alert Email does not contain Console Admin Account Username)
  • Using Subtypes of 'Agent Policy Changed' or 'Policy Modified', will result in displaying a username of either 'N/A' or 'System', as these are Agent Side actions, made after the initial request to move policy by a Console Admin Account User
Powered by Wolken Software