Rule Syntax
uberAgent ESA’s Activity Monitoring rules are part of the configuration. Take a look at the configuration files included by uberAgent-ESA.conf
. This page documents the rule syntax.
Example
The following example shows a simple rule that is triggered whenever a process is started (EventType = Process.Start
). The rule’s query checks if the started process’ name is wmiprvse.exe
. If that is the case, the rule matches and an event with the tag proc-start-wmiservice-child
is sent to the backend.
[ActivityMonitoringRule]
RuleName = Detect child processes of the WMI service
EventType = Process.Start
Tag = proc-start-wmiservice-child
Query = Parent.Name == "wmiprvse.exe"
Rule Stanzas
There can be any number of [ActivityMonitoringRule]
stanzas, each defining one rule. Rules are processed in the order in which they are defined in the configuration. uberAgent ESA always processes all rules for every activity. This means that multiple events may be generated per activity.
Rule Components
An [ActivityMonitoringRule]
stanza may contain the following components.
RuleName
- Setting name:
RuleName
- Description: any name to more easily identify a rule. Not used by uberAgent.
- Valid values: any string
- Default: empty
- Required: yes
EventType
- Setting name:
EventType
- Description: the type of event this rule applies to.
- Valid values: see the event types page
- Default: empty
- Required: yes
Query
- Setting name:
Query
- Description: a uAQL query string that is matched against the properties of the event. A rule is considered matching if the query returns
true
. - Valid values: any uAQL query string
- Default: empty
- Required: yes
Tag
- Setting name:
Tag
- Description: a tag assigned to events matching this rule.
- Valid values: any string
- Default: empty
- Required: yes
RiskScore
- Setting name:
RiskScore
- Description: a risk score assigned to events matching this rule.
- Valid values: any number
- Default: 50
- Required: no
VerboseLogging
- Setting name:
VerboseLogging
- Description: if enabled, more detail is added to the log file, e.g., the full evaluated security descriptor if an SDDL rule is configured.
- Valid values:
true
orfalse
- Default:
false
- Required: no
Rule Evaluation
Rules are evaluated by evaluating a rule’s query with the properties of an event that occurred.