Documentation

This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Process Stop Metrics

uberAgent collects detailed process stop information like the process name, the process lifetime as well as the parent process.

Field	Description	Data type	Unit	Example
ProcName	Process name.	String		svchost.exe
ProcUser	Process user.	String		domain\JohnDoe
ProcLifetimeMs	Process lifetime.	Number	Ms	500
AppId	Application ID.	String		Svc:WdiSystemHost
ProcId	Process ID.	Number		12345
ProcParentId	Parent process ID.	Number		67890
SessionId	Session ID.	Number		2
ProcGUID	Process GUID.	String		4b3e3686-7854-4d98-0023-1e0e617bf2e4
SessionGUID	Session GUID.	String		00000000-b242-d759-7a63-d686b0ffd501
ProcParentName	Parent process name.	String		services.exe
ProcPath	Process path.	String		C:\WINDOWS\System32\svchost.exe
ProcCmdline	Process commandline.	String		C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
IsElevated	Indicates if the process was started elevated (admin rights).	String		1
AppVersion	Application version.	String		1.0
ProcParentGUID	Parent process GUID.	String		d72ceb7e-7851-02ec-005d-139741c4afd6
IsProtected	Indicates if the process was started protected.	String		1
ProcHash	Process hash value.	String		436B472365D3A32352B8594D2D1F5412752FB67C
HashType	Hash type. Can be `1`, `2`, `3` or `4`. See also `HashTypeDisplayName`.	Number		4

Field	Description	Data type	Unit	Example	Where available
ProcUser	`coalesce (ProcUserExpanded, ProcUser)`.	String		Domain\JohnDoe	Splunk data model
User	`ProcUser`.	String		Domain\JohnDoe	Splunk data model
TimestampMs	`_time` * 1000.	Number	Ms	1585913547467	Splunk data model
HashTypeDisplayName	Name for hash type based on the lookup `lookup_hash_types`. Can be `MD5`, `SHA-1`, `SHA-256` or `ImpHash`.	String		ImpHash	Splunk data model,Splunk SPL

Your email address will not be published. Required fields are marked *