uberAgent

Threat Detection Engine

uberAgent ESA Threat Detection makes system activity traceable and searchable.

When a Threat Detection rule matches a risky process, an unusual network connection, or similar activity, uberAgent ESA creates an event in your SIEM (e.g., Splunk). Threat Detection’s comprehensive, extensible ruleset is powered by uAQL, a feature-rich query language that is both easy to read by humans and fast to process by computers.

uberAgent ESA comes with hundreds of predefined rules for many common attack vectors and converters for Sysmon rules and Sigma signatures. Customizing and extending ESA’s ruleset is explicitly encouraged.

Rule Sources

uberAgent ESA ships with rules from two different sources: vast limits rules and third-party rules. The former are curated by vast limits, while the latter are converted from sources such as the Sigma project.

Rule Storage

uberAgent ESA Threat Detection rules are part of uberAgent’s configuration, which is maintained in the uberAgent Configuration GitHub repository.

Metadata

Annotation (MITRE ATT&CK Technique ID)

Annotations add supplementary data to Threat Detection rules, notably MITRE ATT&CK technique IDs.

Tag & Risk Score

Every ESA Threat Detection rule comes with a tag and a risk score that are assigned to matching events.

Sourcetype

ESA Threat Detection events are assigned the sourcetype uberAgentESA:ActivityMonitoring:ProcessTagging (see the metrics documentation for a description of the fields).

Visualization

ESA Threat Detection events are visualized in the Threat Detection Events dashboard, which is part of the uberAgent_ESA Splunk searchhead app.

Threat Detection Engine