Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Event Rule is Not Restoring All Endpoints to Normal Enforcement

App Control: Event Rule is Not Restoring All Endpoints to Normal Enforcement

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Symptoms

  • Alert Triggered for 'Local Approval Alert'
  • Event Rule only restores 1 Agent, despite multiple devices having been selected to move to Local Approval.

Cause

  • Event Rules are designed to work with one trigger at a time
  • If multiple endpoints are moved from Normal Enforcement to Local Approval at the same time (bulk Policy move), only one endpoint will count as the trigger.
  • Only the triggered endpoint will be moved back to Normal Enforcement.

Resolution

There are 2 options available as a workaround:
  • Enable the 'Auto Reset' portion of the Local Approval Alert and set it to 1 minute, so that any devices that were put into Local Approval at the same time (Bulk change) would return to their normal enforcement, once the Alert had been reset. (i.e. Devices will return to their normal level of enforcement 1 minute apart - if 3 devices were moved at the same time, they will all return to normal enforcement by 3 minutes after the original Criteria set - Example below
    • Move 3 devices to Local Approval Policy at 10:00am
    • Criteria set in the alert for a Time period of 1 Hour
    • At 11:00am the Alert is triggered and the Event Rule follows suit, returning the first device to trigger the alert
    • At 11:01am the Alert is reset and the Event Rule triggers once more, restoring the 2nd device to normal enforcement
    • At 11:02am the Alert is reset and the Event Rule triggers once more, restoring the 3rd device to normal enforcement
  • Move each endpoint individually, and this way the agent will trigger an Alert per endpoint (The timestamp of the move to Local Approval would need to be different to each previous device set in this way. eg: Device #1 @ 10:00am, Device #2 @ 10:01am

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-02-2022
Views:
394
Contributors