Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Environment

App Control Console: All Supported Versions

Question

Where can it be determined how many times a Custom Rule has been triggered, or see how often Custom Rules are being used?

Answer

Login to the Console and navigate to Reports > Events.
Set the Saved View to: (none).
Click Show Columns to be sure Rule Name is included in the Selected Column list, and click Apply.
If necessary, use Show Filters to limit the search to a specific Source (Computer).
Set the Max Age accordingly (usually best to start with a limited selection such as 12 hours).
Rules can now be sorted by the Rule Name value.

Additional Notes

Depending on the total number of Events, setting the Max Age to higher values could cause the query to time out and fail to return results.
Use the Group By or Subgroup By to further organize results to determine specific Computers that are generating the most Events, or what Events on Computers are triggering the most.

Related Content

App Control: Custom Rules Best Practices
App Control: How To Track If a Custom Rule Is Being Used
App Control: How Can I Audit for Rules Usage in App Control?

Article Information

Author:

Creation Date:

‎09-09-2020

Views:

564

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.