Alerts or Events Generated For Rule Data Too Large
search cancel

Alerts or Events Generated For Rule Data Too Large

book

Article ID: 424718

calendar_today

Updated On:

Products

Carbon Black App Control

Issue/Introduction

  • Alerts are being triggered for Rule Data Too Large.
  • After saving a Custom Rule or Rapid Config, Events are showing in the Console with the Subtype, Rule Data Too Large, example: 
    The rule 'Powershell Protection: Execution Policy Exception' is too large to send to agents. THE CHANGES TO THE RULE ARE NOT IN EFFECT. Most likely this is due to a parameter containing a large number of entries. Please reduce the size and save again to re-enable this rule.

Environment

  • App Control Server: All Supported Versions

Cause

  • Custom Rules have a maximum length that can be sent to the Agents.
  • When a Custom Rule is saved with a length that exceeds the limit, this Alert is generated.
  • Most commonly this is caused by an excessive number of patterns in the File, Process or Exception paths associated with a Custom Rule or a Rapid Config.

Resolution

  1. Log in to the Console and navigate to Reports > Events
    1. Set the Saved View to (none)
    2. Add a Filter > Subtype > is: Rule data too large
    3. Note the Custom Rule (or Rapid Config) that is shown in the Description (ex: Powershell Protection: Execution Policy Exception)
  2. Navigate to the relevant Rule (from the example, Rules > Software Rules > Rapid Configs > Powershell Protection)
  3. Review the available wildcard options and compare against the Custom Rule or Rapid Config to:
    • Combine the paths specified (where possible) into fewer combinations, example: 
      Before:
      C:\ProgramData\AccountingSoftware\version 7.92\fancyMath.dll
      C:\ProgramData\AccountingSoftware\version 8.13\fancyMath.dll

      After:
      C:\ProgramData\AccountingSoftware\version *\fancyMath.dll
    • Reduce the length of paths (where possible) by being more dynamic, example: 
      Before:
      C:\ProgramData\AccountingSoftware\Reporting\Platform_789.3265\Dynamics\visualizer.dll

      After:
      C:\ProgramData\AccountingSoftware\Reporting\*visualizer.dll
  4. Save all changes, re-enable the relevant Custom Rule or Rapid Config, and verify the Events have stopped.

Additional Information

Powered by Wolken Software