Skip to main content

Rules

Rules are a central concept in Pulsar because they are used to ultimately determine whether any event is a safe or a threat.

Overview

Rules are specified as simple yaml statements and must contain the following fields:

  • name: a simple, unique description of the rule. It also serves as the rule identifier.

  • type: the type of events that are checked against the rule. All other events will automatically be discarded.

  • condition: the actual content of the rule. If the condition is matched by any event, this will be marked as a threat.

Below is an example of a simple rule that triggers a threat event whenever a process different from sshd opens /etc/shadow.

- name: Read sensitive file from untrusted process
  type: FileOpened
  condition: header.image != "/usr/bin/sshd" && payload.filename == "/etc/shadow"

The Rules Engine

The component responsible for actuating rules is known as the rules engine.

The rules engine in Pulsar is built as a user-space module that taps directly into the event bus and checks all events against the set of rules defined in the rules file.

Whenever any event matches a condition specified by the rules, the rule engine module tags the event with a special threat label on its header.