Process Stop

uberAgent collects detailed process stop information like the process name, the process lifetime as well as the parent process.

Details

• Source type: uberAgentESA:Process:ProcessStop
• Used in dashboards: Process Tree
• Enabled through configuration setting: ProcessStop
• Related configuration settings: n/a

List of Fields in the Raw Agent Data

Field	Description	Data type	Unit	Example
ProcName	Process name	String		svchost.exe
ProcUser	Process user	String		domain\JohnDoe
ProcLifetimeMs	Process lifetime	Number	Ms	500
AppId	Application ID	String		Svc:WdiSystemHost
ProcId	Process ID	Number		12345
ProcParentId	Parent process ID	Number		67890
SessionId	Session ID	Number		2
ProcGUID	Process GUID	String		4b3e3686-7854-4d98-0023-1e0e617bf2e4
SessionGUID	Session GUID	String		00000000-b242-d759-7a63-d686b0ffd501
ProcParentName	Parent process name	String		services.exe
ProcPath	Process path	String		C:\WINDOWS\System32\svchost.exe
ProcCmdline	Process commandline	String		C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
IsElevated	Indicates if the process was started elevated (admin rights)	String		1
AppVersion	Application version	String		1.0
ProcParentGUID	Parent process GUID	String		d72ceb7e-7851-02ec-005d-139741c4afd6
IsProtected	Indicates if the process was started protected	String		1
ProcHash	Process hash value	String		436B472365D3A32352B8594D2D1F5412752FB67C
HashType	Hash type. Can be 1, 2, 3 or 4. See also HashTypeDisplayName	Number		4

List of Calculated Fields

Field	Description	Data type	Unit	Example	Where available
ProcUser	coalesce (ProcUserExpanded, ProcUser)	String		Domain\JohnDoe	Splunk data model
User	ProcUser	String		Domain\JohnDoe	Splunk data model
TimestampMs	_time * 1000	Number	Ms	1585913547467	Splunk data model
HashTypeDisplayName	Name for hash type based on the lookup lookup_hash_types. Can be MD5, SHA-1, SHA-256 or ImpHash.	String		ImpHash	Splunk data model,Splunk SPL