carbonblack-app-control.rules

# Sagan carbonblack-app-control.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************

# rules by "Bryant Smith" <bsmith@quadrantsec.com>
# Reference https://community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842
# 02/22/2023
# 06/07/2023 Bryant Smith - file rename from cb_protect.rules to carbonblack-app-control.rules

#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent bulk state change finished (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent bulk state change finished|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010962; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent bulk state change requested (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent bulk state change requested|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010963; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent config modified (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent config modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010964; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent database error (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent database error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010965; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent deleted events (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent deleted events|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010966; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent Enforcement Level changed (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent Enforcement Level changed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010967; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent error (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010968; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent FIPS status changed (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent FIPS status changed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010969; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent health check (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent health check|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010970; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent health check request (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent health check request|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010971; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent notification (other) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent notification (other)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010972; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent notification (session change) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent notification (session change)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010973; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent notification (time change) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent notification (time change)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010974; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent Policy changed (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent Policy changed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010975; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent Policy updated (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent Policy updated|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010976; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent requires upgrade (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent requires upgrade|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010977; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent restart (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent restart|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010978; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent shutdown (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent shutdown|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010979; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent synchronization finished (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent synchronization finished|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010980; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent synchronization requested (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent synchronization requested|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010981; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent synchronization started (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent synchronization started|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010982; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent uninstalled (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent uninstalled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010983; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent upgraded (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Agent upgraded|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010984; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Automatic resynchronization (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Automatic resynchronization|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010985; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Cache check complete (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Cache check complete|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010986; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Cache check error (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Cache check error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010987; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Cache check start (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Cache check start|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010988; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Cache consistency check request (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Cache consistency check request|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010989; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Cb Response sensor status (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Cb Response sensor status|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010990; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] CLI executed (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|CLI executed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010991; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] CLI password reset (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|CLI password reset|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010992; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Clone orphaned (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Clone orphaned|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010993; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Clone registered (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Clone registered|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010994; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Computer added (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Computer added|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010995; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Computer deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Computer deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010996; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Computer modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Computer modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010997; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Computer reboot request (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Computer reboot request|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010998; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Computer registered (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Computer registered|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5010999; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Configuration changed (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Configuration changed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011000; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Configure agent dumps (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Configure agent dumps|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011001; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Debug level set (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Debug level set|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011002; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Diagnostic file deletion request (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Diagnostic file deletion request|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011003; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Duplicate computer registration (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Duplicate computer registration|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011004; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|File deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011005; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File deletion failed (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|File deletion failed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011006; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File deletion processed (file not found) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|File deletion processed (file not found)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011007; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File deletion requested (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|File deletion requested|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011008; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File process error (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|File process error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011009; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File receive error (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|File receive error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011010; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File upload canceled (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|File upload canceled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011011; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File upload completed (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|File upload completed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011012; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File upload deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|File upload deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011013; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File upload error (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|File upload error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011014; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File upload requested (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|File upload requested|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011015; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Installer rescan requested (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Installer rescan requested|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011016; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Local agent cache copy request (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Local agent cache copy request|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011017; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Lockdown all computers (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Lockdown all computers|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011018; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Prioritize updates request (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Prioritize updates request|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011019; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Resend all Policy rules request (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Resend all Policy rules request|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011020; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Security Alert (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Security Alert|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011021; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Tamper Protection changed (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Tamper Protection changed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011022; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Template created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Template created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011023; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Template deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Template deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011024; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Template modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Template modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011025; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Temporary Enforcement Level override (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Temporary Enforcement Level override|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011026; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Temporary Enforcement Level restore (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Temporary Enforcement Level restore|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011027; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Temporary Policy override generated (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Temporary Policy override generated|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011028; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Unauthorized computer registration (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Computer Management|22|"; content:"subtype=|22|Unauthorized computer registration|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011029; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Banned file written to computer (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|Banned file written to computer|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011030; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Certificate added (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|Certificate added|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011031; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Certificate checked (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|Certificate checked|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011032; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Certificate revocation (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|Certificate revocation|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011033; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Device attached (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|Device attached|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011034; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Device detached (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|Device detached|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011035; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] External notification (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|External notification|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011036; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File discovered (browser download) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|File discovered (browser download)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011037; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File discovered (email attachment) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|File discovered (email attachment)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011038; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File group created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|File group created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011039; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] First execution on network (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|First execution on network|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011040; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Malicious file detected (Critical)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|Malicious file detected|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011041; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] New certificate on network (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|New certificate on network|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011042; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] New device found (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|New device found|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011043; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] New file on network (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|New file on network|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011044; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] New publisher found (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|New publisher found|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011045; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] New unapproved file to computer (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|New unapproved file to computer|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011046; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Potential risk file detected (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|Potential risk file detected|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011047; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Service created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|Service created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011048; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Service deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|Service deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011049; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Suspicious file found (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Discovery|22|"; content:"subtype=|22|Suspicious file found|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011050; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent diagnostics available (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Agent diagnostics available|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011051; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Alert created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Alert created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011052; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Alert deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Alert deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011053; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Alert modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Alert modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011054; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Alert reset (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Alert reset|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011055; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Alert triggered (Critical)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Alert triggered|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011056; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Baseline Drift Report created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Baseline Drift Report created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011057; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Baseline Drift Report deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Baseline Drift Report deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011058; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Baseline Drift Report generated (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Baseline Drift Report generated|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011059; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Baseline Drift Report generation is slow (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Baseline Drift Report generation is slow|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011060; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Baseline Drift Report modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Baseline Drift Report modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011061; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Event Rule created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Event Rule created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011062; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Event Rule deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Event Rule deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011063; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Event Rule modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Event Rule modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011064; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Meter created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Meter created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011065; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Meter deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Meter deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011066; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Meter modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Meter modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011067; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Saved view cached (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Saved view cached|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011068; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Saved view cache removed (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Saved view cache removed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011069; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Saved view cache generation started (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Saved view cache generation started|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011070; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Saved view cache generation complete (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Saved view cache generation complete|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011071; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Snapshot created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Snapshot created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011072; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Snapshot deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Snapshot deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011073; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Snapshot modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|General Management|22|"; content:"subtype=|22|Snapshot modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011074; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Access block (Memory Rule) (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Access block (Memory Rule)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011075; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Access prompt (Memory Rule) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Access prompt (Memory Rule)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011076; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Banned process discovered (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Banned process discovered|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011077; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Cb Response Watchlist (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Cb Response Watchlist|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011078; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution allowed (file loaded before kernel) (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution allowed (file loaded before kernel)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011079; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution allowed (file loaded before service) (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution allowed (file loaded before service)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011080; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution allowed (inactive) (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution allowed (inactive)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011081; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution allowed (Trusted User) (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution allowed (Trusted User)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011082; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution allowed (Unanalyzed file loaded before service) (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution allowed (Unanalyzed file loaded before service)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011083; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution block (banned file) (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution block (banned file)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011084; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution block (Custom Rule) (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution block (Custom Rule)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011085; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution block (network file) (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution block (network file)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011086; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution block (prompt timeout) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution block (prompt timeout)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011087; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution block (removable media) (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution block (removable media)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011088; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution block (still analyzing) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution block (still analyzing)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011089; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution block (unapproved file) (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution block (unapproved file)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011090; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution prompt (Custom Rule) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution prompt (Custom Rule)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011091; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution prompt (unapproved file) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution prompt (unapproved file)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011092; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution prompt allowed (unapproved file) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution prompt allowed (unapproved file)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011093; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Execution prompt block (unapproved file) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Execution prompt block (unapproved file)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011094; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File access error (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|File access error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011095; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approved (cache consistency) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|File approved (cache consistency)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011096; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approved (Custom Rule) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|File approved (Custom Rule)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011097; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approved (local approval) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|File approved (local approval)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011098; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approved (publisher) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|File approved (publisher)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011099; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approved (Reputation) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|File approved (Reputation)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011100; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approved (system update) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|File approved (system update)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011101; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approved (Trusted User) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|File approved (Trusted User)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011102; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approved (Unidesk) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|File approved (Unidesk)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011103; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approved (updater) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|File approved (updater)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011104; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approved (version resource) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|File approved (version resource)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011105; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approved (Yara) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|File approved (Yara)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011106; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Metered execution (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Metered execution|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011107; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] New file discovered on startup (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|New file discovered on startup|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011108; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Prompt canceled (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Prompt canceled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011109; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Read block (removable media) (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Read block (removable media)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011110; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Report access (Memory Rule) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Report access (Memory Rule)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011111; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Report execution (Custom Rule) (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Report execution (Custom Rule)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011112; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Report execution (removable media) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Report execution (removable media)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011113; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Report execution block (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Report execution block|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011114; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Report read (removable media) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Report read (removable media)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011115; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Report write (Custom Rule) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Report write (Custom Rule)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011116; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Report write (Registry Rule) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Report write (Registry Rule)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011117; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Report write (removable media) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Report write (removable media)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011118; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Tamper Protection (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Tamper Protection|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011119; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Unapproved process discovered (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Unapproved process discovered|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011120; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] User Login denied (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|User Login denied|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011121; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Write block (Custom Rule) (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Write block (Custom Rule)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011122; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Write block (Registry Rule) (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Write block (Registry Rule)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011123; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Write block (removable media) (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Write block (removable media)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011124; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Write prompt (Custom Rule) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Write prompt (Custom Rule)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011125; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Write prompt (Registry Rule) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Enforcement|22|"; content:"subtype=|22|Write prompt (Registry Rule)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011126; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] AD rules loaded (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|AD rules loaded|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011127; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Approval Request closed (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Approval Request closed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011128; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Approval Request created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Approval Request created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011129; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Approval Request duplicate created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Approval Request duplicate created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011130; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Approval Request escalated (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Approval Request escalated|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011131; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Approval Request modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Approval Request modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011132; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Approval Request opened (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Approval Request opened|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011133; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Certificate approval created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Certificate approval created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011134; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Certificate approval deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Certificate approval deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011135; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Certificate approval modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Certificate approval modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011136; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Certificate ban created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Certificate ban created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011137; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Certificate ban deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Certificate ban deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011138; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Certificate ban modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Certificate ban modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011139; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Custom Rule created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Custom Rule created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011140; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Custom Rule deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Custom Rule deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011141; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Custom Rule modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Custom Rule modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011142; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Device Rule created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Device Rule created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011143; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Device Rule deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Device Rule deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011144; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Device Rule modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Device Rule modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011145; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approval created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|File approval created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011146; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approval deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|File approval deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011147; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approval modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|File approval modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011148; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File approved (certificate) (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|File approved (certificate)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011149; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File ban created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|File ban created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011150; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File ban deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|File ban deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011151; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File ban modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|File ban modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011152; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File local approval (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|File local approval|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011153; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File properties modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|File properties modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011154; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File remove local approval (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|File remove local approval|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011155; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Install package creation scheduled (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Install package creation scheduled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011156; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Justification created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Justification created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011157; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Justification duplicate created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Justification duplicate created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011158; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Memory Rule created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Memory Rule created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011159; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Memory Rule deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Memory Rule deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011160; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Memory Rule modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Memory Rule modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011161; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Notifier created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Notifier created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011162; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Notifier deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Notifier deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011163; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Notifier modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Notifier modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011164; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Policy AD rules changed (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Policy AD rules changed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011165; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Policy created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Policy created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011166; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Policy deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Policy deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011167; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Policy file tracking disabled (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Policy file tracking disabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011168; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Policy file tracking enabled (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Policy file tracking enabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011169; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Policy modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Policy modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011170; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Process demoted (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Process demoted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011171; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Publisher approval created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Publisher approval created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011172; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Publisher approval removed (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Publisher approval removed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011173; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Publisher ban created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Publisher ban created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011174; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Publisher ban deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Publisher ban deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011175; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Publisher modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Publisher modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011176; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Registry Rule created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Registry Rule created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011177; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Registry Rule deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Registry Rule deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011178; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Registry Rule modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Registry Rule modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011179; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Reputation settings modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Reputation settings modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011180; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Rules exported (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Rules exported|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011181; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Script Rule created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Script Rule created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011182; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Script Rule deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Script Rule deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011183; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Script Rule modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Script Rule modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011184; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Trusted Directory check (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Trusted Directory check|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011185; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Trusted Directory created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Trusted Directory created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011186; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Trusted Directory deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Trusted Directory deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011187; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Trusted Directory import (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Trusted Directory import|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011188; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Trusted Directory modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Trusted Directory modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011189; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Trusted Directory scan (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Trusted Directory scan|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011190; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Trusted User added (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Trusted User added|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011191; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Trusted User deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Trusted User deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011192; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Unified rule overridden (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Unified rule overridden|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011193; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Updater disabled (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Updater disabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011194; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Updater enabled (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Updater enabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011195; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Yara rule created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Yara rule created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011196; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Yara rule deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Yara rule deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011197; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Yara rule modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Policy Management|22|"; content:"subtype=|22|Yara rule modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011198; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] AD lookups are slow (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|AD lookups are slow|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011199; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent install package generation disabled (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Agent install package generation disabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011200; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent install package generation failed (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Agent install package generation failed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011201; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent install package generation succeeded (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Agent install package generation succeeded|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011202; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Agent SSL error (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Agent SSL error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011203; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Cb Collective Defense Cloud connection lost (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Cb Collective Defense Cloud connection lost|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011204; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Cb Collective Defense Cloud connection restored (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Cb Collective Defense Cloud connection restored|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011205; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Cb Collective Defense Cloud proxy cleared (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Cb Collective Defense Cloud proxy cleared|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011206; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Cb Collective Defense Cloud proxy set (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Cb Collective Defense Cloud proxy set|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011207; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Communication error (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Communication error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011208; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Connector restart (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Connector restart|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011209; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Connector shutdown (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Connector shutdown|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011210; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Database error (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Database error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011211; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Database server reached specified limit (Critical)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Database server reached specified limit|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011212; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Database verification error (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Database verification error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011213; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Default rules not found (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Default rules not found|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011214; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Enabled Indicator Set deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Enabled Indicator Set deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011215; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Enabled updater deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Enabled updater deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011216; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File analysis canceled (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|File analysis canceled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011217; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File analysis completed (Info Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|File analysis completed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011218; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File analysis error (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|File analysis error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011219; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File analysis modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|File analysis modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011220; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File analysis requested (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|File analysis requested|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011221; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File downloaded (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|File downloaded|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011222; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File inventory deleted (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|File inventory deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011223; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File tracking disabled (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|File tracking disabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011224; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] File upload modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|File upload modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011225; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Health Indicator changed (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Health Indicator changed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011226; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Health Indicator created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Health Indicator created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011227; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Health Indicator deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Health Indicator deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011228; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Health Indicator severity change (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Health Indicator severity change|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011229; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Host package not found (Linux) (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Managment|22|"; content:"subtype=|22|Host package not found (Linux)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011230; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Host package not found (Mac) (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Host package not found (Mac)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011231; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Host package not found (Windows) (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Host package not found (Windows)|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011232; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Indicator Set created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Indicator Set created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011233; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Indicator Set deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Indicator Set deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011234; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Indicator Set disabled (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Indicator Set disabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011235; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Indicator Set enabled (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Indicator Set enabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011236; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Indicator Set exception created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Indicator Set exception created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011237; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Indicator Set exception deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Indicator Set exception deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011238; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Indicator Set exception modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Indicator Set exception modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011239; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Indicator Set modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Indicator Set modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011240; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Indicator Set updated (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Indicator Set updated|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011241; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Install failed (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Install failed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011242; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Install succeeded (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Install succeeded|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011243; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] License added (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|License added|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011244; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] License error (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|License error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011245; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] License warning (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|License warning|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011246; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Network Connector (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Network Connector|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011247; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Network Connector added (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Network Connector added|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011248; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Network Connector removed (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Network Connector removed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011249; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Notifier install failed (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Notifier install failed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011250; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Old events were deleted (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Old events were deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011251; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Rapid Config created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Rapid Config created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011252; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Rapid Config deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Rapid Config deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011253; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Rapid Config disabled (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Rapid Config disabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011254; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Rapid Config enabled (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Rapid Config enabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011255; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Rapid Config modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Rapid Config modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011256; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Rapid Config updated (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Rapid Config updated|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011257; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Reporter restart (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Reporter restart|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011258; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Reporter shutdown (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Reporter shutdown|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011259; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Server backup failed (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Server backup failed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011260; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Server backup missed (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Server backup missed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011261; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Server backup started (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Server backup started|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011262; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Server backup stopped (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Server backup stopped|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011263; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Server Config List error (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Server Config List error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011264; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Server config modified (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Server config modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011265; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Server error (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Server error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011266; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Server performance (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Server performance|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011267; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Server restart (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Server restart|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011268; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Server shutdown (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Server shutdown|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011269; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Server upgrade failed (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Server upgrade failed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011270; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Server upgrade info (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Server upgrade info|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011271; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Server upgrade succeeded (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Server upgrade succeeded|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011272; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] SSL certificate CN mismatch (Critical)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|SSL certificate CN mismatch|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011273; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] SSL certificate error (Critical)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|SSL certificate error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011274; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] SSL certificate expired (Critical)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|SSL certificate expired|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011275; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] SSL certificate expiring (Critical)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|SSL certificate expiring|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011276; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] SSL certificate generated (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|SSL certificate generated|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011277; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] SSL certificate generation failed (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|SSL certificate generation failed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011278; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] SSL certificate import failed (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|SSL certificate import failed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011279; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] SSL certificate imported (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|SSL certificate imported|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011280; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Strong SSL communications disabled (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Strong SSL communications disabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011281; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Strong SSL communications enabled (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Strong SSL communications enabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011282; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] System error (Error)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|System error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011283; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Unified server added (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Unified server added|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011284; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Unified server error (Critical)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Unified server error|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011285; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Unified server modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Unified server modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011286; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Unified server removed (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Unified server removed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011287; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Updater created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Updater created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011288; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Updater deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Updater deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011289; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Updater modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Updater modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011290; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Updaters Indicator Set disabled (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Updaters Indicator Set disabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011291; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Updaters Indicator Set enabled (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Updaters Indicator Set enabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011292; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Updaters update disabled (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Updaters update disabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011293; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Updaters update enabled (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Updaters update enabled|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011294; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Yara Rules Added (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Yara Rules Added|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011295; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Yara Rules Modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Server Management|22|"; content:"subtype=|22|Yara Rules Modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011296; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Console user created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Session Management|22|"; content:"subtype=|22|Console user created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011297; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Console user deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Session Management|22|"; content:"subtype=|22|Console user deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011298; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Console user login (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Session Management|22|"; content:"subtype=|22|Console user login|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011299; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Console user logout (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Session Management|22|"; content:"subtype=|22|Console user logout|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011300; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Console user modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Session Management|22|"; content:"subtype=|22|Console user modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011301; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Multiple failed logins (Warning)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Session Management|22|"; content:"subtype=|22|Multiple failed logins|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011302; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] User Role AD rules changed (Notice)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Session Management|22|"; content:"subtype=|22|User Role AD rules changed|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011303; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] User Role created (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Session Management|22|"; content:"subtype=|22|User Role created|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011304; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] User Role deleted (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Session Management|22|"; content:"subtype=|22|User Role deleted|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011305; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] User Role modified (Info)"; program:cb_protect|cb_app_control|1|bit9|carbonblack; content:"type=|22|Session Management|22|"; content:"subtype=|22|User Role modified|22|"; nocase; parse_src_ip:1; reference:url,community.carbonblack.com/t5/Documentation-Downloads/CB-Protection-Events-Guide-v8-1-10/ta-p/91842; classtype:system-event; sid:5011306; rev:1; metadata:deployment Server,affected_product NONE,affected_version NONE,mitigation NONE,deprecation_reason NONE,tag NONE, created_at 2023_02_15, updated_at 2023_02_15, mitre_tactic_id NONE, mitre_technique_id NONE;)

# rules by "Corey Fisher" <cfisher@quadrantsec.com>
# 07/26/2016

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Agent blocked an attempt to create file"; content: "Agent blocked an attempt to create"; content: "because of tamper protection"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002928; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Agent blocked an attempt to delete file"; content: "Agent blocked an attempt to delete"; content: "because of tamper protection"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002929; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Permission change was blocked"; content: "Permission change on"; content: "was blocked"; content: "event"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002930; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Modification of registry was blocked"; content: "of registry"; content: "was blocked because of tamper protection"; content: "event"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002931; rev:3;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Agent failed a health check"; content: "Agent failed a health check"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002932; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] File was identified by Software Reputation Service as a potential risk"; content: "Software Reputation Service as a potential risk"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002933; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Server detected revocation of certificate"; content: "Server detected revocation of certificate"; content: "event"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002934; rev:3;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Agent detected a problem"; content: "Agent detected a problem"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002935; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Exclusive access to a file was blocked because of tamper protection"; content: "Exclusive access to"; content: "was blocked because of tamper protection"; content: "event"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002936; rev:3;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Agent had to rebuild its primary database cache and now has to re-initialize"; content: "Agent had to rebuild its primary database cache and now has to re-initialize"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002937; rev:3;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Computer failed to receive Notifier Logo"; content: "Computer failed to receive Notifier Logo"; content: "event"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002938; rev:3;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Agent had to restore its primary database cache"; content: "Agent had to restore its primary database cache"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002939; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Non-System Filemods to system32"; content: "Carbon Black process watchlist |27|Non-System Filemods to system32|27|"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002921; rev:3;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Newly Loaded Modules"; content: "Carbon Black binary watchlist |27|Newly Loaded Modules|27|"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002922; rev:3;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] A new device was mounted"; content: "A new device"; content: "was mounted as drive"; content: "event"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002923; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] File was executed for the first time"; content: "File"; content: "was executed for the first time"; content: "event"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002924; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Computer reported that signature on file is invalid"; content: "reported that signature on file"; content: "is invalid"; content: "event"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002925; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Server discovered new certificate"; content: "Server discovered new certificate"; content: "event"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002926; rev:3;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CARBONBLACK-APP-CONTROL] Disk configuration change detected"; content: "Disk configuration change detected"; content: "event"; parse_src_ip: 1; program: 1|bit9|carbonblack; classtype: system-event; sid: 5002927; rev:3;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK-APP-CONTROL] Carbon Black Alert Triggered"; program:carbonblack; parse_src_ip: 1; parse_dst_ip: 2; classtype:system-event; sid:5008383; rev:1;)

alert any any any -> any any (msg:"[CARBONBLACK] Audit - Bypass Action Detected (on)"; content:"|22|description|22 3a 20 22|Set BYPASS to on"; parse_src_ip: 1; program:carbonblack; classtype:suspicious-traffic; sid:5014939; rev: 2;)

alert any any any -> any any (msg:"[CARBONBLACK] Audit - Bypass Action Detected (off)"; content:"|22|description|22 3a 20 22|Set BYPASS to off"; parse_src_ip: 1; program:carbonblack; classtype:suspicious-traffic; sid:5014940; rev: 1;)

#alert any any any -> any any (msg:"[CARBONBLACK] Audit - Sensor Bypass Enabled"; content:"|22|description|22 3a 20 22|Sensor Bypass Enabled"; parse_src_ip: 1; program:carbonblack; classtype:suspicious-traffic; sid:5015119; rev: 1;)

#alert any $HOME_NET any -> $HOME_NET any (msg:"[CARBONBLACK] User Password Changed"; program:carbonblack; content:"Changed Password. Invalidated sessions"; parse_src_ip:1; normalize; classtype:user-activity; sid:5015200; rev:1; metadata:created_at 2024_12_13, updated_at 2024_12_13, mitre_tactic_id TA0003, mitre_technique_id T1098;)