This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.
Threat Detection Metrics
Process Tagging
uberAgent processes a rule set and applies tags accordingly.
Details
- Source type:
uberAgentESA:ActivityMonitoring:ProcessTagging
- Used in dashboards: Activity Monitoring Events
- Enabled through configuration setting:
ActivityMonitoring
- Related configuration settings:
[ActivityMonitoringRule]
List of Fields in the Raw Agent Data
Field | Description | Data type | Unit | Example |
---|---|---|---|---|
EventType | Event type. Can be 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 or 22 . See also EventTypeName . |
Number | 4 | |
ProcName | Process name | String | svchost.exe | |
ProcParentName | Parent process name | String | services.exe | |
ProcUser | Process user | String | domain\JohnDoe | |
ProcLifetimeMs | Process lifetime | Number | ms | 500 |
ProcId | Process ID | Number | 12345 | |
ProcParentId | Parent process ID | Number | 67890 | |
ProcGUID | Process GUID | String | 4b3e3686-7854-4d98-0023-1e0e617bf2e4 | |
ProcParentGUID | Parent process GUID | String | d72ceb7e-7851-02ec-005d-139741c4afd6 | |
ProcPath | Process path | String | C:\WINDOWS\System32\svchost.exe | |
ProcCmdline | Process commandline | String | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted | |
ProcTag1 | Process tag | String | net-connect-suspicious-sources | |
ProcRiskScore1 | Process risk score | Number | 75 | |
ProcHash | Process hash value | String | 436B472365D3A32352B8594D2D1F5412752FB67C | |
ProcParentHash | Parent process hash value | String | 436B472365D3A32352B8594D2D1F5412752FB67C | |
IsElevated | Indicates if the process was started elevated (admin rights) | String | 1 | |
SessionId | Session ID | Number | 2 | |
SessionGUID | Session GUID | String | 00000000-b242-d759-7a63-d686b0ffd501 | |
AppId | Application ID | String | Svc:WdiSystemHost | |
AppVersion | Application version | String | 1.0 | |
HashType | Hash type. Can be 1 , 2 , 3 or 4 . See also HashTypeDisplayName |
Number | 4 | |
ImageName | Image (DLL) name (only available with Image.Load events) |
String | fastprox.dll | |
ImagePath | Image (DLL) path (only available with Image.Load events) |
String | C:\Windows\System32\wbem\fastprox.dll | |
ImageHash | Image (DLL) hash value (only available with Image.Load events) |
String | 436B472365D3A32352B8594D2D1F5412752FB67C | |
NetTargetIp | Target IP address (only available with Net.* events) |
String | 10.1.1.50 | |
NetTargetName | Target name (only available with Net.* events) |
String | www.google.com | |
NetTargetPort | Target port (only available with Net.* events) |
Number | 443 | |
NetProtocol | Network protocol (only available with Net.* events) |
String | TCP | |
IsProtected | Indicates if the process was started protected | String | 1 | |
EventCount | The number of identical events that occured during the interval period | Number | 42 |
List of Calculated Fields
Field | Description | Data type | Unit | Example | Where available |
---|---|---|---|---|---|
EventTypeName | Names for event types based on the lookup lookup_process_tagging_eventtype . Can be Process.Start , Process.Stop , Image.Load , Net.Connect , Net.Receive , Net.Reconnect , Net.Retransmit , Net.Send , Reg.Key.Create , Reg.Value.Write , Reg.Delete , Reg.Key.Delete , Reg.Value.Delete , Reg.Key.SecurityChange , Reg.Key.Rename ,Reg.Key.SetInformation , Reg.Key.Load , Reg.Key.Unload , Reg.Key.Restore , Reg.Key.Save , Reg.Key.Replace or Reg.Any . |
String | Process.Start | Splunk data model, Splunk SPL | |
HashTypeDisplayName | Name for hash type based on the lookup lookup_hash_types . Can be MD5 , SHA-1 , SHA-256 or ImpHash . |
String | ImpHash | Splunk data model, Splunk SPL | |
ProcUser | coalesce (ProcUserExpanded, ProcUser) |
String | Domain\JohnDoe | Splunk data model | |
User | ProcUser |
String | Domain\JohnDoe | Splunk data model | |
TimestampMs | _time * 1000 |
Number | ms | 1585913547467 | Splunk data model |