Generic Properties
Sometimes, when an activity monitoring rule matches an event, one would like to have more information than what the fields of the source type uberAgentESA:ActivityMonitoring:ProcessTagging
provide. In such a case one can define up to 10 generic properties per rule that can access the event information the query has access to. Any event property listed under Common Event Properties, Network Event Properties, Image Load Event Properties, or Registry Event Properties can be used as a generic property. Note that certain properties are only defined for specific event types. For instance, Net.Target.Port
and Reg.Key.Path
are only available for network and registry event types respectively. Please refer to Event Types for a list of available event types, as well as the individual event properties documentation pages mentioned above.
Generic properties can be defined using one of the two syntaxes, long form
GenericProperty1Name = ProcHash
GenericProperty1Data = Process.Hash
or short form:
GenericProperty1 = Process.Hash
in which case, the fields GenericProperty1Name
and GenericProperty1Data
, containing Process.Hash and the process’s hash respectively, will be sent to uberAgentESA:ActivityMonitoring:ProcessTagging
.