Documentation

Contents
Contents
Contents
Contents
!
This documentation applies to a beta version of uberAgent (docs for the latest official release)

Overview

uberAgent ESA process tagging assigns tags to events that match configured rules. ESA tags can be used to identify risky processes or to expose unusual behavior.

uberAgent’s process tagging engine makes use of an extensible ruleset that ships with the product. Customizing and extending the default ruleset is explicitly encouraged.

Rule Storage

uberAgent ESA process tagging rules are part of uberAgent’s configuration.

Metadata

Tag And Risk Score

Every ESA process tagging rule comes with a tag and a risk score that are assigned to matching events.

Sourcetype

ESA process tagging events are assigned the sourcetype uberAgentESA:Process:ProcessTaggingEvent (see the metrics documentation for a description of the fields).

Visualization

ESA process tagging events are visualized in the Process Tagging Events dashboard which is part of the uberAgent_ESA Splunk searchhead app.

Leave a Reply

Your email address will not be published. Required fields are marked *