Table of contents

ProcessSet

The Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on agents.

To enable and configure Integrity Monitoring, see Set up integrity monitoring.

Represents a set of processes.

Tag attributes

The following table provides a list and descriptions of the XML attributes of the tag itself, as opposed to the attributes of the Entity monitored by Integrity Monitoring Rules.

Attribute Description Required Default Value Allowed Values
onChange Will be monitored in real time No false true, false

Entity set attributes

The following are the attributes of the Entity that can be monitored by Integrity Monitoring Rules:

  • CommandLine: The full command-line as shown by ps -f (Unix), ps w (Linux), or Process Explorer. Only available on Windows.
  • Group: The group under which the process is running.

    • Under Unix this is the effective group ID of the process, which determines shared resource access and, in some cases, file access. Group ID can change if the process drops privileges or otherwise switches its effective group credentials. For example, a program could change group IDs temporarily and obtain write privileges to copy installation files into a directory where the user has read-only privileges.
    • On Windows this is the current Primary Group of the process as established by a user-specific access token created at login, which sets access and resource privileges for the user and any processes they execute.

      In addition to a Primary Group, Windows processes typically have one or more additional group credentials associated with them. These additional group credentials are not monitored by the agent – they can be viewed in the Security tab of the process properties in Process Explorer.

  • Parent: The PID of the process that created this process.

  • Path: The full path to the binary of the process. On Windows, this comes from the GetModuleFileNameEx() API. On Linux and Solaris 10, it comes from reading the symlink /proc/{pid}/exe or /proc/{pid}/path/a.out respectively. Not available on Solaris 9 and AIX.
  • Process: The short name of the process binary (no path). For example, for c:\windows\notepad.exe it would be notepad.exe and for /usr/local/bin/httpd it would be httpd.
  • Threads: The number of threads currently executing in the process.
  • User: The user under which the process is running. Under Unix this is the effective user ID of the process, which can change over time if the process drops privileges or otherwise switches its effective user credentials.

Shorthand Attributes

  • STANDARD: CommandLine, Group, Parent, Path (where available), Process User

Meaning of key

The key is a combination of the Process attribute (the short name of the executable) and the PID. The PID is appended to the name with a path separator in between. For example, notepad.exe\1234 on Windows and httpd/1234 on Unix. The use of the path separator is to allow include or exclude matching of key="abc//" to work as expected.

Subelements

  • Include
  • Exclude

See Integrity monitoring rules language for a general description of include for their allowed attributes and sub elements. Only information specific to includes and excludes relating to this EntitySet class are included here.

Special attributes of Include and Exclude for ProcessSets

The following example would monitor the set of running processes for notepad.exe regardless of the PID:

<ProcessSet>
<include key="notepad.exe\/" />
</ProcessSet>

Various other attributes of a process can be used in include and exclude tests. The tests support Unix glob-style wildcarding with * and ?, and there is no normalization of path separators or other characters, as it is a simple glob-style match against the value of the attribute.

CommandLine: Checks for a wildcard match against the commandLine attribute of the process. The following example would monitor any process whose command-line matches "/httpd /":

<ProcessSet>
<include commandLine="/httpd /" />
</ProcessSet>

Group: Checks for a wildcard match against the group attribute of the process. The text version of the group name is used rather than the numeric form: use daemon rather than 2 to test for the daemon group on Linux. The following example would monitor any process running as one of the groups root, daemon, or lp:

<ProcessSet>
<include group="root" />
<include group="daemon" />
<include group="lp" />
</ProcessSet>

Path: Checks for a wildcard match against the path attribute of the process. The path attribute is not available on some platforms. The following example would monitor any process whose binary resides under System32:

<ProcessSet>
<include path="/\System32\/" />
</ProcessSet>

User: Checks for a wildcard match against the user attribute of the process. The text version of the user name is used rather than the numeric form: use root rather than 0 (zero) to test for the superuser on Unix. The following example would monitor any process running as one of the built in system users (for example, NT AUTHORITY\SYSTEM, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE):

<ProcessSet>
<include user="NT AUTHORITY\/" />
</ProcessSet>