For example, a rule could check CPU utilization every 60 seconds. If the CPU is greater than 80% utilized when the test is evaluated, a Post Condition action named SystemTooBusy is performed and its integer value becomes non-zero. Another rule retrieving the process table every 60 seconds with a compound test to identify the processes consuming more that 50% of CPU when total usage exceeds 80% can be written as:
For example, a software virus spawns multiple copies of a common process such as a web browser. The virus uses the SYSTEM account to accomplish this, which is not the normal account for a web browser. To check for the presence of this virus on your network you could create several tests and use a posted condition. The first rule could retrieve the process table, and use a compound test to check for more than one copy of the browser process running as
SYSTEM.
When the test evaluates to true, a posted condition named SystemBrowser is created. The second rule tests the value of the posted condition. It does not require data from a microagent, but uses a token data source: the microagent method
Self:getUptime():10. This method returns the number of seconds the agent has been running every 10 seconds. The actual data retrieved from the data source is discarded, but every 10 seconds this method triggers a test for
SystemBrowser>1. When the test evaluates to true, a high-level alert is generated.