Process Stop

uberAgent collects detailed process stop information like the process name, the process lifetime as well as the parent process.

Details

• Source type: uberAgentESA:Process:ProcessStop
• Used in dashboards: Process Tree
• Enabled through configuration setting: ProcessStop
• Related configuration settings: n/a

List of Fields in the Raw Agent Data

Field	Description	Data type	Unit	Example
ProcName	Process name	String		svchost.exe
ProcUser	Process user	String		domain\JohnDoe
ProcLifetimeMs	Process lifetime	Number	Ms	500
AppId	Application ID	String		Svc:WdiSystemHost
ProcId	Process ID	Number		12345
ProcParentId	Parent process ID	Number		67890
SessionId	Session ID	Number		2
ProcGUID	Process GUID	String		4b3e3686-7854-4d98-0023-1e0e617bf2e4
SessionGUID	Session GUID	String		00000000-b242-d759-7a63-d686b0ffd501
ProcParentName	Parent process name	String		services.exe
ProcPath	Process path	String		C:\WINDOWS\System32\svchost.exe
ProcCmdline	Process commandline	String		C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
IsElevated	Indicates if the process was started elevated (admin rights)	String		1
AppVersion	Application version	String		1.0
ProcParentGUID	Parent process GUID	String		d72ceb7e-7851-02ec-005d-139741c4afd6
IsProtected	Indicates if the process was started protected	String		1
HashMD5	Process hash value in MD5	String		7FFE122B109F1B586DEA2ED0F406E952
HashSHA1	Process hash value in SHA1	String		26DBC241A37881072689CD05C70489C2CDFB562A
HashSHA256	Process hash value in SHA256	String		95F0FBBAEF28999238598550D4B73530FD86205404B602F3E6189D0AE758A2EC
HashIMP	Import-table hash	String		188392D5FBCC485811BB54211E4D2978

List of Calculated Fields

Field	Description	Data type	Unit	Example	Where available
ProcUser	coalesce (ProcUserExpanded, ProcUser)	String		Domain\JohnDoe	Splunk data model
User	ProcUser	String		Domain\JohnDoe	Splunk data model
TimestampMs	_time * 1000	Number	Ms	1585913547467	Splunk data model