Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.


This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

User & Host Tagging Examples

With uberAgent 5.3 comes a very powerful and flexible tagging feature which lets you enrich uberAgent’s dataset with your own custom data. While there is a feature description in the advanced topics section, we wanted to share a comprehensive list of tags you may find useful which you can copy and paste without further ado. Please read the feature description first to get the most out of the following list.

Operating System Language

# The language the operating system was installed with
[UserHostTagging]
Tag name = Host install language
Tag type = Host
Tag source = Registry
Tag value = HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language\InstallLanguage

# The default language for the operating system
[UserHostTagging]
Tag name = Host default language
Tag type = Host
Tag source = Registry
Tag value = HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language\Default

# The user's preferred language
[UserHostTagging]
Tag name = User preferred language
Tag type = User
Tag source = Registry
Tag value = HKCU\Software\Microsoft\CTF\SortOrder\Language\00000000

Windows 10 Version

# Windows 10 version like 1709 or 1909. More information: https://docs.microsoft.com/en-us/windows/release-information/
[UserHostTagging]
Tag name = WindowsVersion
Tag type = Host
Tag source = Registry
Tag value = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ReleaseId

User Name

# uberAgent collects the user name in the format domain\username. This tag gives you the user name without the domain.
[UserHostTagging]
Tag name = Username
Tag type = User
Tag source = Environment
Tag value = USERNAME

User Domain

# uberAgent collects the user name in the format domain\username. This tag gives you the user's domain without the user name.
[UserHostTagging]
Tag name = Userdomain
Tag type = User
Tag source = Environment
Tag value = USERDOMAIN

User Principal Name

# The user's principal name (UPN). Example: [email protected]
[UserHostTagging]
Tag name = UPN
Tag type = User
Tag source = Ad
Tag value = userPrincipalName

User Company

# The user's company. The AD attribute company has to be set for this to work.
[UserHostTagging]
Tag name = User company
Tag type = User
Tag source = Ad
Tag value = company

User Department

# The user's department. The AD attribute department has to be set for this to work.
[UserHostTagging]
Tag name = User department
Tag type = User
Tag source = Ad
Tag value = department

User AD Organizational Unit

[UserHostTagging]
Tag name = User OU
Tag type = User
Tag source = Ad
Tag value = distinguishedName

User DNS Domain

# This gives you the user's full qualified DNS domain name
[UserHostTagging]
Tag name = User DNS domain
Tag type = User
Tag source = Environment
Tag value = USERDNSDOMAIN

User Account Control

# Account options. 512 = activated, 514 = deactivated, 66048 = password never expires. More information: https://support.microsoft.com/en-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
[UserHostTagging]
Tag name = User account control
Tag type = User
Tag source = Ad
Tag value = userAccountControl

Comments

Your email address will not be published. Required fields are marked *

Comments

I want to add some custom metadata. Is there any way I can add that which will be a field in elasticsearch? I am using elasticsearch as a receiver endpoint.

Hi Mark,

If the information you are interested in can be obtained either as an Active Directory attribute, in the Windows registry or in an environmental variable, then our User & Host tagging feature might fit your needs.
On this page we show you example use cases. Please find the feature documentation here.

Kind regards, Martin

Can you share a quick method of querying where the Host/User tag data is stored in the indexes, so we can easily use them in filters?

Thanks

Hi Paul,

You will find information on how to use user & host tags in Splunk here: https://uberagent.com/docs/uberagent/latest/advanced-topics/user-host-tagging/#usage-in-splunk.