Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

uberAgent

uAQL: uberAgent’s Security Threat Detection Query Language

  • by Helge Klein
  • December 15, 2020

uberAgent ESA, our endpoint security analytics product, comes with a powerful Threat Detection Engine (TDE). TDE makes use of rules to describe unwanted/risky/dangerous behavior that should be flagged. A TDE rule consists of multiple components, the most important of which is a query that defines which activities the rule should match. This post introduces uAQL, uberAgent’s query language.

What’s In a TDE Rule?

uberAgent’s Threat Detection is best understood with an example. Take a look at the following rule:

[ActivityMonitoringRule]
RuleName = Detect Microsoft Office download operations (LOLBAS)
EventType = Process.Start
Tag = proc-start-lolbas-download
Query = ParentIsMsOffice and regex_match(Process.CommandLine, r"(http|https)")

[ActivityMonitoringRule]

TDE rules are configured through [ActivityMonitoringRule] stanzas (rule syntax documentation).

RuleName

The RuleName element is purely for the rule author’s sake. It should be descriptive and include a reference to the rule’s origin (in this case, the LOLBAS project).

EventType

A rule’s EventType defines which types of activity should trigger the evaluation of the rule’s query. In the example above, we’re interested in process start events. Whenever a new process is started, we want uberAgent to check if the rule’s query matches the properties of the newly created process.

TDE supports a broad range of event types in addition to process starts. See the event types documentation for details.

Tag and RiskScore

uberAgent ESA generates a Threat Detection event whenever a TDE rule matches activity on a monitored endpoint. The event is sent to the agent’s configured backend(s), typically a SIEM. The event captures many properties of the process that initiated the activity (see Threat Detection Metrics). Additionally, a tag and a risk score can be defined in the rule. The tag (a text string) makes it possible to easily differentiate between different types of events in the SIEM. The risk score allows for filtering by severity or criticality.

Query

A rule’s Query acts as a kind of filter. We don’t want the rule in the example above match all process starts. We only want it to match newly started processes where the parent process is a Microsoft Office application and where the command line contains either http or https.

The uAQL Query Language

Why a New Language?

When we designed uberAgent ESA, we realized that we needed a query language that is powerful in its capabilities while being easy to read and write. We also wanted to be able to evolve the language as we would add new features to uberAgent ESA. The result is uAQL.

As developers, we have worked with many different programming languages. For each language feature we wanted to add to uAQL, we first examined how the existing languages in our repertoire implemented it. We then took the best approaches and combined them into a practical, hands-on query language designed to be easy to work with for non-developers.

Reusable Expressions

Circling back to the example above, I have to admit that I cheated a little. uberAgent does not magically know how to identify parent processes that are part of the MS Office suite. Instead, ParentIsMsOffice refers to a uAQL expression that looks like this:

[AddActivityMonitoringExpression name=ParentIsMsOffice]
Query = istartswith(Parent.Company, "Microsoft") and Parent.Name in ["excel.exe", "msaccess.exe", "onenote.exe", "outlook.exe", "powerpnt.exe", "winword.exe"]

By itself, a uAQL expression does not do anything. But it provides a convenient way to define reusable rule parts that can later be pasted into multiple different rules.

Functions

The example above also illustrates the use of functions. regex_match is a built-in function that matches a given string against a regular expression.

Event Properties

The regex_match code also shows that properties of the monitored event can be used (almost) anywhere. In the example above, Process.CommandLine is substituted with the actual command line when the rule is evaluated.

Another Example

Now that you know what a TDE rule looks like let’s examine a different example:

[ActivityMonitoringRule]
RuleName = Detect child processes of Adobe Acrobat Reader
# Source: https://www.microsoft.com/security/blog/2019/02/22/recommendations-for-deploying-the-latest-attack-surface-reduction-rules-for-maximum-impact/
EventType = Process.Start
Tag = proc-start-adobereader-child
Query = Parent.Name == "acrord32.exe" and Process.Name not in ["RdrCEF.exe", "acrord32.exe", "AdobeARM.exe"]

As you can see, this second example is somewhat similar to the first MS Office rule, but there are notable differences.

First of all, this second rule targets Adobe Acrobat Reader. The query does not reference an expression but specifies the name of the parent executable directly since there is only one (Parent.Name == "acrord32.exe").

In the second half of the query, we’re making sure that the newly started process is not one of the legitimate Acrobat Reader processes (Process.Name not in ["RdrCEF.exe", "acrord32.exe", "AdobeARM.exe"]).

If the rule matches an activity on one of your monitored endpoints, uberAgent ESA generates a SIEM event with the tag proc-start-adobereader-child and the default risk score of 50.

Built-in Rules

This concludes our foray into uAQL land. As you have seen, the rule syntax is simple, intuitive, yet powerful. While we highly encourage anyone to become familiar with uAQL, there is no need to start from scratch. uberAgent ESA ships with hundreds of preconfigured rules for use cases such as monitoring applications, network activity, permissions, certificates, and many more. Take a look at the documentation!

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Comments

Your email address will not be published. Required fields are marked *