uberAgent ESA?s Activity Monitoring rules can be triggered by many different types of events.

Event types are specified in the EventType component of [ActivityMonitoringRule] stanzas (more information).

Process And Image Event Types

The following process event types are available:

• Process.Start: triggered, when a new process is created/started
• Process.Stop: triggered, when a new process is terminated/stopped
• Image.Load: triggered, when an executable image (e.g., a DLL) is loaded

Network Event Types

The following network event types are available:

• Net.Send: triggered, when a network packet is sent
• Net.Receive: triggered, when a network packet is received
• Net.Connect: triggered, when a network connection is established
• Net.Reconnect: triggered, when a network connection is re-established
• Net.Retransmit: triggered, when a network packet is retransmitted (sent again)

Registry Event Types

The following registry event types are available:

• Reg.Key.Create: triggered, when a registry key is created
• Reg.Value.Write: triggered, when a registry value is written. This includes registry value creation as well as changes to the value’s name and data.
• Reg.Delete: triggered, when a registry key or value is deleted
• Reg.Key.Delete: triggered, when a registry key is deleted
• Reg.Value.Delete: triggered, when a registry value is deleted
• Reg.Key.SecurityChange: triggered, when a registry key’s security descriptor is changed
• Reg.Key.Rename: triggered, when a registry key is renamed
• Reg.Key.SetInformation: triggered, when a registry key metadata is changed (e.g. last-write time, tags, virtualization, etc.)
• Reg.Key.Load: triggered, when a registry hive is loaded
• Reg.Key.Unload: triggered, when a registry hive is unloaded
• Reg.Key.Save: triggered, when a registry key is saved
• Reg.Key.Restore: triggered, when a registry key is restored
• Reg.Key.Replace: triggered, when a registry key is replaced
• Reg.Any: triggered for any of the above