uberAgent ESA’s Activity Monitoring rules are part of the configuration. Take a look at the configuration files included by uberAgent-ESA.conf. This page documents the rule syntax.
Example
The following example shows a simple rule that is triggered whenever a process is started (EventType = Process.Start). The rule’s query checks if the started process’ name is wmiprvse.exe. If that is the case, the rule matches and an event with the tag proc-start-wmiservice-child is sent to the backend.
[ActivityMonitoringRule]
RuleName = Detect child processes of the WMI service
EventType = Process.Start
Tag = proc-start-wmiservice-child
Query = Parent.Name == "wmiprvse.exe"
Rule Stanzas
There can be any number of [ActivityMonitoringRule] stanzas, each defining one rule. Rules are processed in the order in which they are defined in the configuration. uberAgent ESA always processes all rules for every activity. This means that multiple events may be generated per activity.
Rule Components
An [ActivityMonitoringRule] stanza may contain the following components.
RuleName
Setting name: RuleName
Description: any name to more easily identify a rule. Not used by uberAgent.
Valid values: any string
Default: empty
Required: yes
EventType
Setting name: EventType
Description: the type of event this rule applies to.
Rule Syntax
In this article
uberAgent ESA’s Activity Monitoring rules are part of the configuration. Take a look at the configuration files included by
uberAgent-ESA.conf
. This page documents the rule syntax.Example
The following example shows a simple rule that is triggered whenever a process is started (
EventType = Process.Start
). The rule’s query checks if the started process’ name iswmiprvse.exe
. If that is the case, the rule matches and an event with the tagproc-start-wmiservice-child
is sent to the backend.Rule Stanzas
There can be any number of
[ActivityMonitoringRule]
stanzas, each defining one rule. Rules are processed in the order in which they are defined in the configuration. uberAgent ESA always processes all rules for every activity. This means that multiple events may be generated per activity.Rule Components
An
[ActivityMonitoringRule]
stanza may contain the following components.RuleName
RuleName
EventType
EventType
Query
Query
true
.Tag
Tag
RiskScore
RiskScore
VerboseLogging
VerboseLogging
true
orfalse
false
Rule Evaluation
Rules are evaluated by evaluating a rule’s query with the properties of an event that occurred.