uberAgent

Event Types

uberAgent ESA’s Threat Detection rules can be triggered by many different types of events.

Event types are specified in the EventType component of [ActivityMonitoringRule] stanzas (rule syntax).

Process & Image Events

Event Types

The following process event types are available:

  • Process.Start: a new process is created/started.
  • Process.Stop: a process is terminated/stopped.
  • Process.CreateRemoteThread: a process is starting a thread in another process.
  • Process.TamperingEvent: a process tampering event is detected.
  • Image.Load: an executable image (e.g., a DLL) is loaded.
  • Driver.Load: a kernel image (e.g., a driver) is loaded.

Event Properties

Common event properties are available with all types of events. Remote thread creation events and image load events have additional properties.

Network Events

Event Types

The following network event types are available:

  • Net.Send: a network packet is sent.
  • Net.Receive: a network packet is received.
  • Net.Connect: a network connection is established.
  • Net.Reconnect: a network connection is re-established.
  • Net.Retransmit: a network packet is retransmitted (sent again).

Event Properties

Please see the documentation for the properties of network events.

Registry Events

Event Types

The following registry event types are available:

  • Reg.Key.Create: a registry key is created.
  • Reg.Value.Write: a registry value is written. This includes registry value creation as well as changes to the value’s name and data.
  • Reg.Delete: a registry key or value is deleted.
  • Reg.Key.Delete: a registry key is deleted.
  • Reg.Value.Delete: a registry value is deleted.
  • Reg.Key.SecurityChange: a registry key’s security descriptor is changed.
  • Reg.Key.Rename: a registry key is renamed.
  • Reg.Key.SetInformation: a registry key metadata is changed (e.g. last-write time, tags, virtualization, etc.).
  • Reg.Key.Load: a registry hive is loaded.
  • Reg.Key.Unload: a registry hive is unloaded.
  • Reg.Key.Save: a registry key is saved.
  • Reg.Key.Restore: a registry key is restored.
  • Reg.Key.Replace: a registry key is replaced.
  • Reg.Any: any of the above.

Event Properties

Please see the documentation for the properties of registry events.

DNS Query Events

Event Types

The following DNS query event types are available:

  • DNS.Query: an outgoing DNS query request has completed, and a response has been received.

Event Properties

Please see the documentation for the properties of DNS query events.

File System Events

Event Types

The following file system activity event types are available:

  • File.ChangeCreationTime: a file’s original creation timestamp is changed (available on Windows only).
  • File.Create: a file is created.
  • File.CreateStream: an alternate data stream (ADS) is created (available on Windows only).
  • File.Delete: a file is deleted (all platforms)
  • File.PipeCreate: a named pipe is created.
  • File.PipeConnected: a client connects to a named pipe.
  • File.RawAccessRead: raw read access to a target device, bypassing ACLs (available on Windows only).
  • File.Rename: a file is renamed.
  • File.Write: a file is being written to.
  • File.Read: a file is being read from.

Event Properties

Please see the documentation for the properties of file system activity events.

Event Types