uberAgent ESA?s Activity Monitoring rules can be triggered by many different types of events.
Event types are specified in the EventType component of [ActivityMonitoringRule] stanzas (more information).
EventType
[ActivityMonitoringRule]
The following process event types are available:
Process.Start
Process.Stop
Image.Load
The following network event types are available:
Net.Send
Net.Receive
Net.Connect
Net.Reconnect
Net.Retransmit
The following registry event types are available:
Reg.Key.Create
Reg.Value.Write
Reg.Delete
Reg.Key.Delete
Reg.Value.Delete
Reg.Key.SecurityChange
Reg.Key.Rename
Reg.Key.SetInformation
Reg.Key.Load
Reg.Key.Unload
Reg.Key.Save
Reg.Key.Restore
Reg.Key.Replace
Reg.Any
Your email address will not be published. Required fields are marked *
Comment
Name *
Email *
Website
Event Types
In this article
uberAgent ESA?s Activity Monitoring rules can be triggered by many different types of events.
Event types are specified in the
EventType
component of[ActivityMonitoringRule]
stanzas (more information).Process And Image Event Types
The following process event types are available:
Process.Start
: triggered, when a new process is created/startedProcess.Stop
: triggered, when a new process is terminated/stoppedImage.Load
: triggered, when an executable image (e.g., a DLL) is loadedNetwork Event Types
The following network event types are available:
Net.Send
: triggered, when a network packet is sentNet.Receive
: triggered, when a network packet is receivedNet.Connect
: triggered, when a network connection is establishedNet.Reconnect
: triggered, when a network connection is re-establishedNet.Retransmit
: triggered, when a network packet is retransmitted (sent again)Registry Event Types
The following registry event types are available:
Reg.Key.Create
: triggered, when a registry key is createdReg.Value.Write
: triggered, when a registry value is written. This includes registry value creation as well as changes to the value’s name and data.Reg.Delete
: triggered, when a registry key or value is deletedReg.Key.Delete
: triggered, when a registry key is deletedReg.Value.Delete
: triggered, when a registry value is deletedReg.Key.SecurityChange
: triggered, when a registry key’s security descriptor is changedReg.Key.Rename
: triggered, when a registry key is renamedReg.Key.SetInformation
: triggered, when a registry key metadata is changed (e.g. last-write time, tags, virtualization, etc.)Reg.Key.Load
: triggered, when a registry hive is loadedReg.Key.Unload
: triggered, when a registry hive is unloadedReg.Key.Save
: triggered, when a registry key is savedReg.Key.Restore
: triggered, when a registry key is restoredReg.Key.Replace
: triggered, when a registry key is replacedReg.Any
: triggered for any of the above