Skip to main content

This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Event Types

uberAgent ESA’s Activity Monitoring rules can be triggered by many different types of events.

Event types are specified in the EventType component of [ActivityMonitoringRule] stanzas (more information).

Process And Image Event Types

The following process event types are available:

  • Process.Start: triggered, when a new process is created/started
  • Process.Stop: triggered, when a new process is terminated/stopped
  • Image.Load: triggered, when an executable image (e.g., a DLL) is loaded

Network Event Types

The following network event types are available:

  • Net.Send: triggered, when a network packet is sent
  • Net.Receive: triggered, when a network packet is received
  • Net.Connect: triggered, when a network connection is established
  • Net.Reconnect: triggered, when a network connection is re-established
  • Net.Retransmit: triggered, when a network packet is retransmitted (sent again)

Registry Event Types

The following registry event types are available:

  • Reg.Key.Create: triggered, when a registry key is created
  • Reg.Value.Write: triggered, when a registry value is written. This includes registry value creation as well as changes to the value’s name and data.
  • Reg.Delete: triggered, when a registry key or value is deleted
  • Reg.Key.Delete: triggered, when a registry key is deleted
  • Reg.Value.Delete: triggered, when a registry value is deleted
  • Reg.Key.SecurityChange: triggered, when a registry key’s security descriptor is changed
  • Reg.Key.Rename: triggered, when a registry key is renamed
  • Reg.Key.SetInformation: triggered, when a registry key metadata is changed (e.g. last-write time, tags, virtualization, etc.)
  • Reg.Key.Load: triggered, when a registry hive is loaded
  • Reg.Key.Unload: triggered, when a registry hive is unloaded
  • Reg.Key.Save: triggered, when a registry key is saved
  • Reg.Key.Restore: triggered, when a registry key is restored
  • Reg.Key.Replace: triggered, when a registry key is replaced
  • Reg.Any: triggered for any of the above

Comments

Your email address will not be published. Required fields are marked *