Event Types
uberAgent ESA’s Activity Monitoring rules can be triggered by many different types of events.
Event types are specified in the EventType
component of [ActivityMonitoringRule]
stanzas (rule syntax).
Process And Image Event Types
The following process event types are available:
Process.Start
: triggered, when a new process is created/startedProcess.Stop
: triggered, when a new process is terminated/stoppedImage.Load
: triggered, when an executable image (e.g., a DLL) is loaded
The event properties are documented separately for process events and image load events.
Network Event Types
The following network event types are available:
Net.Send
: triggered, when a network packet is sentNet.Receive
: triggered, when a network packet is receivedNet.Connect
: triggered, when a network connection is establishedNet.Reconnect
: triggered, when a network connection is re-establishedNet.Retransmit
: triggered, when a network packet is retransmitted (sent again)
Please see the documentation for the properties of network events.
Registry Event Types
The following registry event types are available:
Reg.Key.Create
: triggered, when a registry key is createdReg.Value.Write
: triggered, when a registry value is written. This includes registry value creation as well as changes to the value’s name and data.Reg.Delete
: triggered, when a registry key or value is deletedReg.Key.Delete
: triggered, when a registry key is deletedReg.Value.Delete
: triggered, when a registry value is deletedReg.Key.SecurityChange
: triggered, when a registry key’s security descriptor is changedReg.Key.Rename
: triggered, when a registry key is renamedReg.Key.SetInformation
: triggered, when a registry key metadata is changed (e.g. last-write time, tags, virtualization, etc.)Reg.Key.Load
: triggered, when a registry hive is loadedReg.Key.Unload
: triggered, when a registry hive is unloadedReg.Key.Save
: triggered, when a registry key is savedReg.Key.Restore
: triggered, when a registry key is restoredReg.Key.Replace
: triggered, when a registry key is replacedReg.Any
: triggered for any of the above
Please see the documentation for the properties of registry events.
DNS Query Event Types
The following DNS query event types are available:
DNS.Event
: triggered, when an outgoing DNS query request has completed and a response has been received
Please see the documentation for the properties of DNS query events.