Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

Documentation

Version

  1. uberAgent
  2. 6.1.2
  3. ESA Features & Configuration
  4. Threat Detection Engine
  5. Event Types
Previous document Next document
This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Event Types

In this article

uberAgent ESA’s Activity Monitoring rules can be triggered by many different types of events.

Event types are specified in the EventType component of [ActivityMonitoringRule] stanzas (rule syntax).

Process And Image Event Types

The following process event types are available:

  • Process.Start: triggered, when a new process is created/started
  • Process.Stop: triggered, when a new process is terminated/stopped
  • Image.Load: triggered, when an executable image (e.g., a DLL) is loaded

The event properties are documented separately for process events and image load events.

Network Event Types

The following network event types are available:

  • Net.Send: triggered, when a network packet is sent
  • Net.Receive: triggered, when a network packet is received
  • Net.Connect: triggered, when a network connection is established
  • Net.Reconnect: triggered, when a network connection is re-established
  • Net.Retransmit: triggered, when a network packet is retransmitted (sent again)

Please see the documentation for the properties of network events.

Registry Event Types

The following registry event types are available:

  • Reg.Key.Create: triggered, when a registry key is created
  • Reg.Value.Write: triggered, when a registry value is written. This includes registry value creation as well as changes to the value’s name and data.
  • Reg.Delete: triggered, when a registry key or value is deleted
  • Reg.Key.Delete: triggered, when a registry key is deleted
  • Reg.Value.Delete: triggered, when a registry value is deleted
  • Reg.Key.SecurityChange: triggered, when a registry key’s security descriptor is changed
  • Reg.Key.Rename: triggered, when a registry key is renamed
  • Reg.Key.SetInformation: triggered, when a registry key metadata is changed (e.g. last-write time, tags, virtualization, etc.)
  • Reg.Key.Load: triggered, when a registry hive is loaded
  • Reg.Key.Unload: triggered, when a registry hive is unloaded
  • Reg.Key.Save: triggered, when a registry key is saved
  • Reg.Key.Restore: triggered, when a registry key is restored
  • Reg.Key.Replace: triggered, when a registry key is replaced
  • Reg.Any: triggered for any of the above

Please see the documentation for the properties of registry events.

DNS Query Event Types

The following DNS query event types are available:

  • DNS.Event: triggered, when an outgoing DNS query request has completed and a response has been received

Please see the documentation for the properties of DNS query events.

Comments

Your email address will not be published. Required fields are marked *