Sometimes, when a Threat Detection rule matches an event, one would like to have more information than what the fields of the source type uberAgentESA:ActivityMonitoring:ProcessTagging provide. In such a case, one can define up to 10 generic properties per rule that can access the event information the query has access to. Any event property listed under Common Event Properties, Network Event Properties, Image Load Event Properties, or Registry Event Properties can be used as a generic property. Note that certain properties are only defined for specific event types. For instance, Net.Target.Port and Reg.Key.Path are only available for network and registry event types, respectively. Please refer to Event Types for a list of available event types, as well as the individual event properties documentation pages mentioned above.

Generic properties can be defined using one of the two syntaxes, long form:

GenericProperty1Name = ProcHash
GenericProperty1Data = Process.Hash.MD5

or short form:

GenericProperty1 = Process.Hash.MD5

in which case, the fields GenericProperty1Name and GenericProperty1Data, containing Process.Hash.MD5 and the process’s MD5 hash respectively, will be sent to uberAgentESA:ActivityMonitoring:ProcessTagging.