uberAgent ESA process tagging assigns tags to events that match configured rules. ESA tags can be used to identify risky processes or to expose unusual behavior.
uberAgent’s process tagging engine makes use of an extensible ruleset that ships with the product. Customizing and extending the default ruleset is explicitly encouraged.
uberAgent ESA process tagging rules are part of uberAgent’s configuration.
Every ESA process tagging rule comes with a tag and a risk score that are assigned to matching events.
ESA process tagging events are assigned the sourcetype
uberAgentESA:Process:ProcessTaggingEvent (see the metrics documentation for a description of the fields).
ESA process tagging events are visualized in the Process Tagging Events dashboard which is part of the
uberAgent_ESA Splunk searchhead app.