uberAgent

Application & Process Startup Metrics

Process Startup

For each application or process that is being launched, uberAgent collects metrics like startup performance (duration, IOPS), as well as process properties (e.g., elevation status). If the configuration setting EnableExtendedInfo is enabled, uberAgent also collects metrics like the full path to the process executable in the file system as well the full command line the process was launched with.

Notes:

  • As with all other metrics, process startup duration is recorded automatically without requiring any configuration. uberAgent optionally only shows new processes never seen before in the Splunk dashboards.
  • Processes are auto-grouped into applications, i.e., the application name is determined automatically. Information on how automatic application identification works is available here.
  • A fork or exec system call can trigger process startup events on macOS. To distinguish between both, see the StartupEventSource field.

Details

  • Source type: uberAgent:Process:ProcessStartup
  • Used in dashboards: Application Startup, Process Startup, Single Application Detail, Analyze data over time
  • Enabled through configuration setting: ProcessStartup
  • Related configuration settings: [ProcessStartupSettings], [ProcessStartupDurationWaitIntervalOverride]

List of Fields in the Raw Agent Data

Field Description Data type Unit Measurement type Platform Example
ProcName Process name. String   Snapshot all chrome.exe
ProcUser Process user. String   Snapshot all Domain\JohnDoe
StartupTimeMs Startup time duration (how long it took the process to initialize). Number ms Sum Win 300
StartupIOPS I/O operations per second generated during the process’ startup phase (see StartupTimeMs. Number   Count Win 150
AppId Associated application ID. Used by uberAgent to look up the application name and populate the field AppName. String   Snapshot all GglChrm
ProcID Process ID generated by the OS. Process IDs are reused and cannot be used to uniquely identify a process. Use ProcGUID for that purpose instead. Number   Snapshot all 456
ProcParentID Parent process ID (also see ProcID). Number   Snapshot all 789
SessionID Session ID generated by the OS. Session IDs are reused and cannot be used to uniquely identify a session. Use SessionGUID for that purpose instead. macOS: for consistency with Windows all non-user sessions are assigned to a fictitious system session 0. Number   Snapshot all 3
ProcGUID Unique identifier for a process instance that is generated by uberAgent. String   Snapshot all 00000000-ebe5-469c-63ae-f5a1de28d401
SessionGUID Unique identifier for a session that is generated by uberAgent. String   Snapshot Win 00000002-f295-9109-e7c7-c964011dd401
ProcParentName Parent process name. String   Snapshot all powershell.exe
ProcPath Full path to the process executable in the file system. String   Snapshot all C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ProcCmdline The process’ command line. String   Snapshot all C:\Program Files (x86)\Google\Chrome\Application\chrome.exe –url http://vastlimits.com
StartupEventSource Indicates if the startup event was generated by a fork (1) or exec (2) call. String   Snapshot macOS 1
IsElevated Indicates if the process is elevated (has admin rights). String   Snapshot all 1
AppVersion Associated application version. String   Snapshot all 67.0.3396.99
ProcParentGUID Unique identifier of the parent process (the parent’s ProcGUID). String   Snapshot all 00000000-ebe5-469c-54ae-f5a1de28d401
IsProtected Indicates whether the process is protected (PsProtectedTypeProtected) or protected light (PsProtectedTypeProtectedLight, PPL). String   Snapshot Win 1
HashMD5 MD5 hash of the process executable (requires ESA). Configurable via settings EnableCalculateHash and HashAlgorithm. String   Snapshot Win 7FFE122B109F1B586DEA2ED0F406E952
HashSHA1 SHA1 hash of the process executable (requires ESA). Configurable via settings EnableCalculateHash and HashAlgorithm. String   Snapshot Win 26DBC241A37881072689CD05C70489C2CDFB562A
HashSHA256 SHA256 hash of the process executable (requires ESA). Configurable via settings EnableCalculateHash and HashAlgorithm. String   Snapshot Win 95F0FBBAEF28999238598550D4B73530FD86205404B602F3E6189D0AE758A2EC
HashIMP Import-table hash of the process executable (requires ESA). Configurable via settings EnableCalculateHash and HashAlgorithm. String   Snapshot Win 188392D5FBCC485811BB54211E4D2978
SignatureStatus Authenticode signature status. Can be 0, 1, 2, 3, 4, 5, 6 or 7. See also SignatureStatusDisplayName (requires ESA). String   Snapshot Win 1
IsSignedByOSVendor Indicates whether the Authenticode signer is the OS manufacturer (e.g., Microsoft). Requires ESA. String   Snapshot All 1
SignerName Authenticode signer name (requires ESA). String   Snapshot Win Microsoft Windows
CdHash Hash of the code directory of a signed executable (requires ESA). Configurable via setting EnableCdHash. String   Snapshot macOS 24e4b80198b220e4a0ea87d33bf72af22576722c

Notes

  • The following fields are empty unless EnableExtendedInfo is set to true: ProcID, ProcParentID, SessionID, ProcGUID, SessionGUID, ProcParentName, ProcPath, ProcCmdline, ProcParentGUID.
  • The maximum supported timer Interval for the ProcessStartup metric is 300000 (5 minutes).

List of Calculated Fields

Field Description Data type Unit Measurement type Where available Example
User Alias for ProcUser. String   Snapshot Splunk data model Domain\JohnDoe
StartupTimeS Startup time duration. Number s Sum Splunk data model 0.3
StartupIOCount StartupIOPS * StartupTimeMs / 1000. Number   Sum Splunk data model 45
AppName Associated application name. String   Snapshot Splunk data model, Splunk SPL Google Chrome
SignatureStatusDisplayName Possible values: Unknown, Ok, Revoked, Expired, InvalidHash, UntrustedRoot, TrustedRootNotInCA and Error. String   Snapshot Splunk data model Ok
Application & Process Startup Metrics