uberAgent ESA Activity Monitoring makes system activity traceable and searchable.
When an Activity Monitoring rule matches a risky process, an unusual network connection, or similar activity, uberAgent ESA creates an event in your SIEM (e.g., Splunk). Activity Monitoring’s comprehensive, extensible ruleset is powered by uAQL, a feature-rich query language that is both easy to read by humans and fast to process by computers.
uberAgent ESA comes with hundreds of predefined rules for many common attack vectors and converters for Sysmon rules and Sigma signatures. Customizing and extending ESA’s ruleset is explicitly encouraged.
uberAgent ESA ships with rules from two different sources: vast limits rules and third-party rules. The former are curated by vast limits, while the latter are converted from sources such as the Sigma project.
uberAgent ESA Activity Monitoring rules are part of uberAgent’s configuration.
Annotations add supplementary data to Activity Monitoring rules, notably MITRE ATT&CK technique IDs.
Every ESA Activity Monitoring rule comes with a tag and a risk score that are assigned to matching events.
ESA Activity Monitoring events are assigned the sourcetype
uberAgentESA:ActivityMonitoring:ProcessTagging (see the metrics documentation for a description of the fields).
ESA Activity Monitoring events are visualized in the Activity Monitoring Events dashboard which is part of the
uberAgent_ESA Splunk searchhead app.