Skip to main content

Rules Engine

This module will check every Pulsar event against the configured set of rules. When a match is found, a threat event is generated.

Example rule

Create a /var/lib/pulsar/rules/example_rules1.yaml with the following content:

- name: Read sensitive file from untrusted process
type: FileOpened
condition: header.image != "/usr/bin/sshd" && payload.filename == "/etc/shadow"

- name: Executed telnet or nc
type: Exec
condition: payload.filename in ["/usr/bin/telnet", "/usr/bin/nc"]

The first rule will cause a warning whenever a process different from sshd opens /etc/shadow. The second rule will warn when telnet or nc are run.

Configuration

ConfigTypeDescription
rules_pathpathFolder containing the yaml rules

Default configuration:

[rules-engine]
enabled=true
rules_path=/var/lib/pulsar/rules

You disable this module with:

pulsar config --set rules-engine.enabled=false