NOTE:
Actions attached to process-monitor policies can make use of
session variables, which are illustrated in the examples below and
described in more detail in Policy
variables.
The default actions which are defined for the process-monitor policies are:
<$NAME>:<$MSG_NODE_NAME>:<$MSG_OBJECT>:START
<$NAME>:<$MSG_NODE_NAME>:<$MSG_OBJECT>:<*>
<$SESSION(PROCESSNBRAVAILABLE)> processes
"<$SESSION(PROCESSNAME)>" with parameter
"<$SESSION(PROCESSPARAMETERS)>" are running. Expected:
<$SESSION(PROCESSMODE)> <$SESSION(PROCESSNBREXPECTED)>
process.
Example: 0 processes "notepad.exe" with parameter
"<*>abc<*>" are running. Expected: 1
process.
No "continue" action is defined: do NOT start any "continue" action
<$NAME>:<$MSG_NODE_NAME>:<$MSG_OBJECT>:END
<$NAME>:<$MSG_NODE_NAME>:<$MSG_OBJECT>:<*>
<$SESSION(PROCESSNBRAVAILABLE)> process
"<$SESSION(PROCESSNAME)>" with parameter
"<$SESSION(PROCESSPARAMETERS)>" is running.
Example: 1 processes "notepad.exe" with parameter
"<*>abc<*>" is running.
Related Topics: