uberAgent

Event Types

uberAgent ESA’s Threat Detection rules can be triggered by many different types of events.

Event types are specified in the EventType component of [ActivityMonitoringRule] stanzas (rule syntax).

Process & Image Events

Event Types

The following process event types are available:

  • Process.Start: triggered, when a new process is created/started
  • Process.Stop: triggered, when a new process is terminated/stopped
  • Process.CreateRemoteThread: triggered, when a process is starting a thread in another process
  • Process.TamperingEvent: triggered, when a process tampering event is being detected
  • Image.Load: triggered, when an executable image (e.g., a DLL) is loaded

Event Properties

Common event properties are available with all types of events. Remote thread creation events and image load events have additional properties.

Network Events

Event Types

The following network event types are available:

  • Net.Send: triggered, when a network packet is sent
  • Net.Receive: triggered, when a network packet is received
  • Net.Connect: triggered, when a network connection is established
  • Net.Reconnect: triggered, when a network connection is re-established
  • Net.Retransmit: triggered, when a network packet is retransmitted (sent again)

Event Properties

Please see the documentation for the properties of network events.

Registry Events

Event Types

The following registry event types are available:

  • Reg.Key.Create: triggered, when a registry key is created
  • Reg.Value.Write: triggered, when a registry value is written. This includes registry value creation as well as changes to the value’s name and data.
  • Reg.Delete: triggered, when a registry key or value is deleted
  • Reg.Key.Delete: triggered, when a registry key is deleted
  • Reg.Value.Delete: triggered, when a registry value is deleted
  • Reg.Key.SecurityChange: triggered, when a registry key’s security descriptor is changed
  • Reg.Key.Rename: triggered, when a registry key is renamed
  • Reg.Key.SetInformation: triggered, when a registry key metadata is changed (e.g. last-write time, tags, virtualization, etc.)
  • Reg.Key.Load: triggered, when a registry hive is loaded
  • Reg.Key.Unload: triggered, when a registry hive is unloaded
  • Reg.Key.Save: triggered, when a registry key is saved
  • Reg.Key.Restore: triggered, when a registry key is restored
  • Reg.Key.Replace: triggered, when a registry key is replaced
  • Reg.Any: triggered for any of the above

Event Properties

Please see the documentation for the properties of registry events.

DNS Query Events

Event Types

The following DNS query event types are available:

  • DNS.Query: triggered, when an outgoing DNS query request has completed and a response has been received

Event Properties

Please see the documentation for the properties of DNS query events.

Event Types