This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.
Threat Detection Metrics
Process Tagging
uberAgent processes a rule set and applies tags accordingly.
Details
- Source type:
uberAgentESA:ActivityMonitoring:ProcessTagging - Used in dashboards: Activity Monitoring Events
- Enabled through configuration setting:
ActivityMonitoring - Related configuration settings:
[ActivityMonitoringRule]
List of Fields in the Raw Agent Data
| Field | Description | Data type | Unit | Example |
|---|---|---|---|---|
| EventType | Event type. Can be 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21 or 22. See also EventTypeName. |
Number | 4 | |
| ProcName | Process name | String | svchost.exe | |
| ProcParentName | Parent process name | String | services.exe | |
| ProcUser | Process user | String | domain\JohnDoe | |
| ProcLifetimeMs | Process lifetime | Number | ms | 500 |
| ProcId | Process ID | Number | 12345 | |
| ProcParentId | Parent process ID | Number | 67890 | |
| ProcGUID | Process GUID | String | 4b3e3686-7854-4d98-0023-1e0e617bf2e4 | |
| ProcParentGUID | Parent process GUID | String | d72ceb7e-7851-02ec-005d-139741c4afd6 | |
| ProcPath | Process path | String | C:\WINDOWS\System32\svchost.exe | |
| ProcCmdline | Process commandline | String | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted | |
| ProcTag1 | Process tag | String | net-connect-suspicious-sources | |
| ProcRiskScore1 | Process risk score | Number | 75 | |
| ProcHash | Process hash value | String | 436B472365D3A32352B8594D2D1F5412752FB67C | |
| ProcParentHash | Parent process hash value | String | 436B472365D3A32352B8594D2D1F5412752FB67C | |
| IsElevated | Indicates if the process was started elevated (admin rights) | String | 1 | |
| SessionId | Session ID | Number | 2 | |
| SessionGUID | Session GUID | String | 00000000-b242-d759-7a63-d686b0ffd501 | |
| AppId | Application ID | String | Svc:WdiSystemHost | |
| AppVersion | Application version | String | 1.0 | |
| HashType | Hash type. Can be 1, 2, 3 or 4. See also HashTypeDisplayName |
Number | 4 | |
| ImageName | Image (DLL) name (only available with Image.Load events) |
String | fastprox.dll | |
| ImagePath | Image (DLL) path (only available with Image.Load events) |
String | C:\Windows\System32\wbem\fastprox.dll | |
| ImageHash | Image (DLL) hash value (only available with Image.Load events) |
String | 436B472365D3A32352B8594D2D1F5412752FB67C | |
| NetTargetIp | Target IP address (only available with Net.* events) |
String | 10.1.1.50 | |
| NetTargetName | Target name (only available with Net.* events) |
String | www.google.com | |
| NetTargetPort | Target port (only available with Net.* events) |
Number | 443 | |
| NetProtocol | Network protocol (only available with Net.* events) |
String | TCP | |
| IsProtected | Indicates if the process was started protected | String | 1 | |
| EventCount | The number of identical events that occured during the interval period | Number | 42 |
List of Calculated Fields
| Field | Description | Data type | Unit | Example | Where available |
|---|---|---|---|---|---|
| EventTypeName | Names for event types based on the lookup lookup_process_tagging_eventtype. Can be Process.Start, Process.Stop, Image.Load, Net.Connect, Net.Receive, Net.Reconnect, Net.Retransmit, Net.Send, Reg.Key.Create, Reg.Value.Write, Reg.Delete, Reg.Key.Delete, Reg.Value.Delete, Reg.Key.SecurityChange, Reg.Key.Rename,Reg.Key.SetInformation, Reg.Key.Load, Reg.Key.Unload, Reg.Key.Restore, Reg.Key.Save, Reg.Key.Replace or Reg.Any. |
String | Process.Start | Splunk data model, Splunk SPL | |
| HashTypeDisplayName | Name for hash type based on the lookup lookup_hash_types. Can be MD5, SHA-1, SHA-256 or ImpHash. |
String | ImpHash | Splunk data model, Splunk SPL | |
| ProcUser | coalesce (ProcUserExpanded, ProcUser) |
String | Domain\JohnDoe | Splunk data model | |
| User | ProcUser |
String | Domain\JohnDoe | Splunk data model | |
| TimestampMs | _time * 1000 |
Number | ms | 1585913547467 | Splunk data model |