Skip to main content

Events

Pulsar is designed as an event-driven runtime security framework, so events naturally play a big role in the way security is monitored and enforced by the agent.

Overview

In Pulsar, events are the most granular representation of all the operations performed by the operating system and they are the building block on top of which threats are detected by the rules engine.

While events usually represent an enriched version of kernel activity traces extracted by one of the Pulsar modules through eBPF, they are not restricted to that in any way. In fact, any piece of information published on the event bus - provided it satisfies a few formal constraints - can be considered an event, regardless of its original source. This also incidentally means that Pulsar modules that live completely in the user space can produce and consume events from the event bus without any restriction, allowing for great extensibility of Pulsar features.

A few examples of events include:

  • Program execution
  • File creation
  • Connection start

Structure

All Pulsar events share a common structure: they are made up of an event header and an event payload.

The event header contains general information about the events origin, such as the process that it's generating, its timestamp and its source module.

The event payload, on the other hand, contains the actual specifics of the event, and is dictated by the event type.