Sometimes, when an activity monitoring rule matches an event, one would like to have more information than what the fields of the source type uberAgentESA:ActivityMonitoring:ProcessTagging provide. In such a case one can define up to 10 generic properties per rule that can access the event information the query has access to. Any event property listed under Common Event Properties, Network Event Properties, Image Load Event Properties, or Registry Event Properties can be used as a generic property. Note that certain properties are only defined for specific event types. For instance, Net.Target.Port and Reg.Key.Path are only available for network and registry event types respectively. Please refer to Event Types for a list of available event types, as well as the individual event properties documentation pages mentioned above.

Generic properties can be defined using one of the two syntaxes, long form

GenericProperty1Name = ProcHash
GenericProperty1Data = Process.Hash

or short form:

GenericProperty1 = Process.Hash

in which case, the fields GenericProperty1Name and GenericProperty1Data, containing Process.Hash and the process’s hash respectively, will be sent to uberAgentESA:ActivityMonitoring:ProcessTagging.