Rules are a central concept in Pulsar because they are used to ultimately
determine whether any event is a
safe or a
Rules are specified as simple
yaml statements and must contain the following fields:
name: a simple, unique description of the rule. It also serves as the rule identifier.
type: the type of events that are checked against the rule. All other events will automatically be discarded.
condition: the actual content of the rule. If the condition is matched by any event, this will be marked as a threat.
Below is an example of a simple rule that triggers a threat event whenever a process different from
- name: Read sensitive file from untrusted process
condition: header.image != "/usr/bin/sshd" && payload.filename == "/etc/shadow"
The Rules Engine
The component responsible for actuating rules is known as the rules engine.
The rules engine in Pulsar is built as a user-space module that taps directly into the event bus and
checks all events against the
set of rules defined in the rules file.
Whenever any event
matches a condition specified by the rules, the rule engine module
tags the event with a special
threat label on its header.