Rules
Rules are a central concept in Pulsar because they are used to ultimately determine whether any event is a safe or a threat.
Overview
Rules are specified as simple yaml statements and must contain:
a name: a simple, unique description of the rule. It also serves as the rule identifier.
a type: the type of events that are checked against the rule. All other events will automatically be discarded.
a condition: the actual content of the rule. If the condition is matched by any event, this will be marked as a threat.
Below is an example of a simple rule that triggers a threat event whenever a process different from sshd
opens
/etc/shadow
.
- name: Read sensitive file from untrusted process
type: FileOpened
condition: header.image != "/usr/bin/sshd" && payload.filename == "/etc/shadow"
The Rules Engine
The component responsible for actuating rules is known as the rules engine.
The rules engine in Pulsar is built as a user-space module that taps directly into the event bus and checks all events against the set of rules defined in the rules file.
Whenever any event matches a condition specified by the rules, the rule engine module tags the event with a special "threat" label on its header.