Documentation

Contents
Contents
Contents
Contents
!
This documentation applies to a beta version of uberAgent (docs for the latest official release)

Rule Syntax

uberAgent ESA’s process tagging rules are part of the configuration. Examples can be found in the configuration file uberAgent-ESA-process-tagging.conf. This page documents the rule syntax.

Rule Stanzas

There can be any number of [ProcessTaggingRule] stanzas, each defining one rule. Rules are processed in the order in which they are defined in the configuration. The first rule that matches, wins.

Rule Element Types

Rules are comprised of the following types of elements:

  • Naming element (1 per rule)
  • Config elements (up to 1 per setting per rule)
  • Detection elements (1 or more per rule)
  • Tagging element (1 per setting per rule)

Rule Elements

A [ProcessTaggingRule] stanza may contain the following elements.

RuleName (Naming Element)

  • Setting type: naming element
  • Setting name: RuleName
  • Description: any name to more easily identify a rule. Not used by uberAgent.
  • Valid values: any string
  • Default: empty
  • Required: yes

EventType (Config Element)

  • Setting type: config element
  • Setting name: EventType
  • Description: the type of event this rule applies to.
  • Valid values: Process.Start or Process.Stop or Image.Load or Net.Send or Net.Receive or Net.Connect or Net.Reconnect or Net.Retransmit
  • Default: empty
  • Required: yes

VerboseLogging (Config Element)

  • Setting type: config element
  • Setting name: VerboseLogging
  • Description: if enabled, more detail is added to the log file, e.g., the full evaluated security descriptor if an SDDL rule is configured.
  • Valid values: true or false
  • Default: false
  • Required: no

Detection Elements

  • Setting type: detection element
  • Setting name: (see below for a list of properties that can be used in rules)
  • Description: depending on the setting, a PATH_REGEX or a regex that is matched against the property
  • Valid values: any PATH_REGEX or regex (definition of PATH_REGEX)
  • Default: empty
  • Required: no

Tag (Tagging Element)

  • Setting type: tagging element
  • Setting name: Tag
  • Description: a tag assigned to processes matching this rule.
  • Valid values: any string
  • Default: empty
  • Required: yes

RiskScore (Tagging Element)

  • Setting type: tagging element
  • Setting name: RiskScore
  • Description: a risk score assigned to processes matching this rule.
  • Valid values: any number
  • Default: 50
  • Required: no

Rule Evaluation

Rules are evaluated by comparing a rule’s detection element(s) with the properties of an event that occurred.

The detection elements in a rule are combined with logical AND. If a detection element in a rule is defined more than once, the instances are combined with logical OR.

Example: if Parent.AppVersion is specified twice (once for app version 1.1 and once for 2.0), the rule is TRUE if the version is 1.1 OR 2.0.

Rule Line Syntax

When a setting is required to be equal to a given value:

Setting = value

When a setting is required not to be equal to a given value:

Setting != value

Spaces around setting or value are ignored.

Leave a Reply

Your email address will not be published. Required fields are marked *