This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
File System Activity Monitoring
File system activity monitoring is uberAgent ESA’s capability to detect changes to objects in the file system. The monitored object types include files, of course, but also named pipes. uberAgent ESA can identify and react many different types of file system events, e.g., read, write, delete. Please see the event types documentation for details.
Configuration
File system activity monitoring can be configured via the stanza [FilesystemMonitoring]. By default, file system activity monitoring is enabled. To disable file system activity monitoring set Enabled = false.
Monitored Volumes
New Volumes Added to the System
In the default configuration, uberAgent only monitors volumes that were present when the agent was started; newly added volumes are ignored. This can be changed by setting Hotplug = true.
Disabling Monitoring by Volume Type
To monitor only certain volume types, use the setting Monitor. The following table shows available values.
| Volume type | Description | Platform |
|---|---|---|
Disks |
Monitors all hard drives. This includes removable media such as USB thumb drives. | all |
Mailslots |
Monitors all mailslots, a mechanism for one-way interprocess communication (IPC) using pseudofiles that reside in memory. | Windows |
NamedPipes |
Monitors all named pipes, a mechanism for interprocess communication (IPC) that is accessed much like a file. | Windows |
NetworkShares |
Monitors all remote file systems (access to network shares). Supported protocols depend on the OS: Windows: all protocols handled by the multiple UNC provider (MUP), typically: SMBRDPNP (remote desktop services client drives)WebDAV macOS: SMBAFPNFS |
all |
Example Configurations
With the following example configuration, uberAgent monitors disks only, i.e., hard drives and removable media. As Hotplug is set to true, uberAgent monitors volumes that were present when the agent was started as well as volumes mounted at runtime. Monitoring of network shares, mailslots, and named pipes is disabled.
[ProductComponents]
EnableESA = true
[FilesystemMonitoring]
Enabled = true
Hotplug = true
Monitor = Disks
<!--NeedCopy-->
With the following example configuration, uberAgent monitors disks and network shares. As Hotplug is not enabled, uberAgent only monitors volumes that were present when the agent was started. Monitoring of mailslots and named pipes is disabled.
[ProductComponents]
EnableESA = true
[FilesystemMonitoring]
Enabled = true
Monitor = Disks
Monitor = NetworkShares
<!--NeedCopy-->
File System Events in Threat Detection Engine (TDE)
File system events are available in TDE rules, whose queries are powered by uAQL. uAQL queries for file system events can make use of common event properties as well as file system event properties.
Example Rule for Windows
The following example detects writes to files in the directory C:\Windows (Windows):
[ActivityMonitoringRule]
# Detect writes to files in the directory C:\Windows.
RuleId = 2b635c8b-3c2b-4c51-b073-40a796d4ab9e-write
RuleName = Any file write
EventType = File.Write
Tag = file-write
RiskScore = 100
Query = File.Path like "%C:\\Windows\\%"
GenericProperty1 = File.Name
GenericProperty2 = File.CreationDate
GenericProperty3 = File.IsExecutable
GenericProperty4 = File.Path
<!--NeedCopy-->
Example Rule for macOS
The following example detects writes to files in the directory /Library/LaunchAgents (macOS):
[ActivityMonitoringRule]
# Detect writes to files in the directory /Library/LaunchAgents.
RuleId = 2b635c8b-3c2b-4c51-b073-40a796d4ab9e-write
RuleName = Any file write
EventType = File.Write
Tag = file-write
RiskScore = 100
Query = File.Path like "%/Library/LaunchAgents/%"
GenericProperty1 = File.Name
GenericProperty2 = File.CreationDate
GenericProperty3 = File.IsExecutable
GenericProperty4 = File.Path
<!--NeedCopy-->
Platform-Specific Notes
Windows
On Windows, uberAgent uses a minifilter driver to monitor the file system. Only successful file system activity is reported. Attempts that are not permitted due to missing permissions and attempts that are blocked by security products are not reported.
macOS
On macOS, uberAgent leverages the Endpoint Security Framework to monitor the file system. The Endpoint Security Framework provides the necessary APIs to capture a comprehensive range of events, including both successful and unsuccessful events. Different from the Windows implementation, on macOS uberAgent may capture unsuccessful events, too. Such events might result from permissions issues, for example. Specific results depend on the altitude at which the framework hooks the list of syscalls needed for file system activity.
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.