Skip to main content

This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.


uberAgent ESA Activity Monitoring assigns tags to events that match configured rules. ESA tags can be used to identify risky processes or to expose unusual behavior.

uberAgent’s Activity Monitoring engine comes with the powerful rule definition language uAQL, hundreds of predefined rules for many common attack vectors, and a converter for Sigma signatures. Customizing and extending ESA’s ruleset is explicitly encouraged.

Rule Sources

uberAgent ESA ships with rules from two different sources: vast limits rules and third-party rules. The former are curated by vast limits, while the latter are converted from sources such as the Sigma project.

Rule Storage

uberAgent ESA Activity Monitoring rules are part of uberAgent’s configuration.


Tag And Risk Score

Every ESA Activity Monitoring rule comes with a tag and a risk score that are assigned to matching events.


ESA Activity Monitoring events are assigned the sourcetype uberAgentESA:ActivityMonitoring:ProcessTagging (see the metrics documentation for a description of the fields).


ESA Activity Monitoring events are visualized in the Process Tagging Events dashboard which is part of the uberAgent_ESA Splunk searchhead app.


Your email address will not be published. Required fields are marked *