Threat Detection Metrics
Process Tagging
uberAgent processes a rule set and applies tags accordingly.
Details
- Source type:
uberAgentESA:ActivityMonitoring:ProcessTagging - Used in dashboards: Threat Detection Events
- Enabled through configuration setting:
ActivityMonitoring - Related configuration settings:
[ActivityMonitoringRule] - Supported platform: Windows
List of Fields in the Raw Agent Data
| Field | Description | Data type | Unit | Example |
|---|---|---|---|---|
| EventType | Event type. Can be 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25 or 26. See also EventTypeName. |
Number | 4 | |
| ProcName | Process name. | String | svchost.exe | |
| ProcParentName | Parent process name. | String | services.exe | |
| ProcUser | Process user. | String | domain\JohnDoe | |
| ProcLifetimeMs | Process lifetime. | Number | ms | 500 |
| ProcId | Process ID. | Number | 12345 | |
| ProcParentId | Parent process ID. | Number | 67890 | |
| ProcGUID | Process GUID. | String | 4b3e3686-7854-4d98-0023-1e0e617bf2e4 | |
| ProcParentGUID | Parent process GUID. | String | d72ceb7e-7851-02ec-005d-139741c4afd6 | |
| ProcPath | Process path | String | C:\WINDOWS\System32\svchost.exe | |
| ProcCmdline | Process commandline. | String | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted | |
| ProcTag1 | Rule tag: the tag assigned to events originating from the matching rule. | String | net-connect-suspicious-sources | |
| ProcRiskScore1 | Rule risk score: the risk score assigned to events originating from the matching rule. | Number | 75 | |
| IsElevated | Indicates if the process was started elevated (admin rights). | String | 1 | |
| SessionId | Session ID. | Number | 2 | |
| SessionGUID | Session GUID. | String | 00000000-b242-d759-7a63-d686b0ffd501 | |
| AppId | Application ID. | String | Svc:WdiSystemHost | |
| AppVersion | Application version. | String | 1.0 | |
| IsProtected | Indicates if the process was started protected. | String | 1 | |
| EventCount | The number of identical events that occurred during the interval period. | Number | 42 | |
| RuleAnnotation | JSON of rule annotations like security frameworks. | String | {“mitre_attack”: [“T1086”, “T1059.001”]} |
Additionally, one can enhance the information sent to the back-end by defining a number of generic properties that will be sent along with the fields above. Any field listed under Common Event Properties, Network Event Properties, Image Load Event Properties, or Registry Event Properties can be used as a generic property.
List of Calculated Fields
| Field | Description | Data type | Unit | Example | Where available |
|---|---|---|---|---|---|
| EventTypeName | Names for event types based on the lookup lookup_process_tagging_eventtype. Can be Process.Start, Process.Stop, Image.Load, Net.Connect, Net.Receive, Net.Reconnect, Net.Retransmit, Net.Send, Reg.Key.Create, Reg.Value.Write, Reg.Delete, Reg.Key.Delete, Reg.Value.Delete, Reg.Key.SecurityChange, Reg.Key.Rename,Reg.Key.SetInformation, Reg.Key.Load, Reg.Key.Unload, Reg.Key.Restore, Reg.Key.Save, Reg.Key.Replace, Reg.Any, Dns.Query, Process.CreateRemoteThread, Process.TamperingEvent or Net.Any. |
String | Process.Start | Splunk data model, Splunk SPL | |
| ProcUser | coalesce (ProcUserExpanded, ProcUser). |
String | Domain\JohnDoe | Splunk data model | |
| User | ProcUser. |
String | Domain\JohnDoe | Splunk data model | |
| TimestampMs | _time * 1000. |
Number | ms | 1585913547467 | Splunk data model |
| RuleAnnotation.mitre_attack.id | One or more MITRE ATT&CK® IDs for the event. The source is the field RuleAnnotation. | String | T1086 T1059.001 |
Splunk data model, Splunk SPL |