uberAgent

Threat Detection Metrics

Process Tagging

uberAgent processes a rule set and applies tags accordingly.

Notes:

  • Field: AppVersion - uberAgent has an internal filter to minimize data volume by suppressing version information for system processes and system services. As a result, the AppVersion field is typically empty for most system processes and services.

Details

  • Source type: uberAgentESA:ActivityMonitoring:ProcessTagging
  • Used in dashboards: Threat Detection Events
  • Enabled through configuration setting: ActivityMonitoring
  • Related configuration settings: [ActivityMonitoringRule]
  • Supported platform: Windows

List of Fields in the Raw Agent Data

Field Description Data type Unit Example
EventType Event type. Can be 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25 or 26. See also EventTypeName. Number   4
ProcName Process name. String   svchost.exe
ProcParentName Parent process name. String   services.exe
ProcUser Process user. String   domain\JohnDoe
ProcLifetimeMs Process lifetime. Number ms 500
ProcId Process ID. Number   12345
ProcParentId Parent process ID. Number   67890
ProcGUID Process GUID. String   4b3e3686-7854-4d98-0023-1e0e617bf2e4
ProcParentGUID Parent process GUID. String   d72ceb7e-7851-02ec-005d-139741c4afd6
ProcPath Process path String   C:\WINDOWS\System32\svchost.exe
ProcCmdline Process commandline. String   C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
ProcTag1 Rule tag: the tag assigned to events originating from the matching rule. String   net-connect-suspicious-sources
ProcRiskScore1 Rule risk score: the risk score assigned to events originating from the matching rule. Number   75
IsElevated Indicates if the process was started elevated (admin rights). String   1
SessionId Session ID. Number   2
SessionGUID Session GUID. String   00000000-b242-d759-7a63-d686b0ffd501
AppId Application ID. String   Svc:WdiSystemHost
AppVersion Application version. String   1.0
IsProtected Indicates if the process was started protected. String   1
EventCount The number of identical events that occurred during the interval period. Number   42
RuleAnnotation JSON of rule annotations like security frameworks. String   {“mitre_attack”: [“T1086”, “T1059.001”]}

Additionally, one can enhance the information sent to the back-end by defining a number of generic properties that will be sent along with the fields above. Any field listed under Common Event Properties, Network Event Properties, Image Load Event Properties, or Registry Event Properties can be used as a generic property.

List of Calculated Fields

Field Description Data type Unit Example Where available
EventTypeName Names for event types based on the lookup lookup_process_tagging_eventtype. Can be Process.Start, Process.Stop, Image.Load, Net.Connect, Net.Receive, Net.Reconnect, Net.Retransmit, Net.Send, Reg.Key.Create, Reg.Value.Write, Reg.Delete, Reg.Key.Delete, Reg.Value.Delete, Reg.Key.SecurityChange, Reg.Key.Rename,Reg.Key.SetInformation, Reg.Key.Load, Reg.Key.Unload, Reg.Key.Restore, Reg.Key.Save, Reg.Key.Replace, Reg.Any, Dns.Query, Process.CreateRemoteThread, Process.TamperingEvent or Net.Any. String   Process.Start Splunk data model, Splunk SPL
ProcUser coalesce (ProcUserExpanded, ProcUser). String   Domain\JohnDoe Splunk data model
User ProcUser. String   Domain\JohnDoe Splunk data model
TimestampMs _time * 1000. Number ms 1585913547467 Splunk data model
RuleAnnotation.mitre_attack.id One or more MITRE ATT&CK® IDs for the event. The source is the field RuleAnnotation. String   T1086
T1059.001
Splunk data model, Splunk SPL
Threat Detection Metrics