Documentation

Contents
Contents
Contents
Contents

Rule Syntax

uberAgent ESA’s Activity Monitoring rules are part of the configuration. Take a look at the configuration files included by uberAgent-ESA.conf. This page documents the rule syntax.

Example

The following example shows a simple rule that is triggered whenever a process is started (EventType = Process.Start). The rule’s query checks if the started process’ name is wmiprvse.exe. If that is the case, the rule matches and an event with the tag proc-start-wmiservice-child is sent to the backend.

[ActivityMonitoringRule]
RuleName = Detect child processes of the WMI service
EventType = Process.Start
Tag = proc-start-wmiservice-child
Query = Parent.Name == "wmiprvse.exe"

Rule Stanzas

There can be any number of [ActivityMonitoringRule] stanzas, each defining one rule. Rules are processed in the order in which they are defined in the configuration. uberAgent ESA always processes all rules for every activity. This means that multiple events may be generated per activity.

Rule Components

An [ActivityMonitoringRule] stanza may contain the following components.

RuleName

  • Setting name: RuleName
  • Description: any name to more easily identify a rule. Not used by uberAgent.
  • Valid values: any string
  • Default: empty
  • Required: yes

EventType

  • Setting name: EventType
  • Description: the type of event this rule applies to.
  • Valid values: see the event types page
  • Default: empty
  • Required: yes

Query

  • Setting name: Query
  • Description: a uAQL query string that is matched against the properties of the event. A rule is considered matching if the query returns true.
  • Valid values: any uAQL query string
  • Default: empty
  • Required: yes

Tag

  • Setting name: Tag
  • Description: a tag assigned to events matching this rule.
  • Valid values: any string
  • Default: empty
  • Required: yes

RiskScore

  • Setting name: RiskScore
  • Description: a risk score assigned to events matching this rule.
  • Valid values: any number
  • Default: 50
  • Required: no

VerboseLogging

  • Setting name: VerboseLogging
  • Description: if enabled, more detail is added to the log file, e.g., the full evaluated security descriptor if an SDDL rule is configured.
  • Valid values: true or false
  • Default: false
  • Required: no

Rule Evaluation

Rules are evaluated by evaluating a rule’s query with the properties of an event that occurred.

Leave a Reply

Your email address will not be published. Required fields are marked *