This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Threat Detection Metrics
Process Tagging
uberAgent processes a rule set and applies tags accordingly.
Notes:
- Field:
AppVersion
- uberAgent has an internal filter to minimize data volume by suppressing version information for system processes and system services. As a result, theAppVersion
field is typically empty for most system processes and services.
Details
- Source type:
uberAgentESA:ActivityMonitoring:ProcessTagging
- Used in dashboards: Threat Detection Events
- Enabled through configuration setting:
ActivityMonitoring
- Related configuration settings:
[ActivityMonitoringRule]
- Supported platform: Windows
List of Fields in the Raw Agent Data
Field | Description | Data type | Unit | Example |
---|---|---|---|---|
EventType | Event type. Can be 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 , 24 , 25 or 26 . See also EventTypeName . |
Number | 4 | |
ProcName | Process name. | String | svchost.exe | |
ProcParentName | Parent process name. | String | services.exe | |
ProcUser | Process user. | String | domain\JohnDoe | |
ProcLifetimeMs | Process lifetime. | Number | ms | 500 |
ProcId | Process ID. | Number | 12345 | |
ProcParentId | Parent process ID. | Number | 67890 | |
ProcGUID | Process GUID. | String | 4b3e3686-7854-4d98-0023-1e0e617bf2e4 | |
ProcParentGUID | Parent process GUID. | String | d72ceb7e-7851-02ec-005d-139741c4afd6 | |
ProcPath | Process path | String | C:\WINDOWS\System32\svchost.exe | |
ProcCmdline | Process commandline. | String | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted | |
ProcTag1 | Rule tag: the tag assigned to events originating from the matching rule. | String | net-connect-suspicious-sources | |
ProcRiskScore1 | Rule risk score: the risk score assigned to events originating from the matching rule. | Number | 75 | |
IsElevated | Indicates if the process was started elevated (admin rights). | String | 1 | |
SessionId | Session ID. | Number | 2 | |
SessionGUID | Session GUID. | String | 00000000-b242-d759-7a63-d686b0ffd501 | |
AppId | Application ID. | String | Svc:WdiSystemHost | |
AppVersion | Application version. | String | 1.0 | |
IsProtected | Indicates if the process was started protected. | String | 1 | |
EventCount | The number of identical events that occurred during the interval period. | Number | 42 | |
RuleAnnotation | JSON of rule annotations like security frameworks. | String | {“mitre_attack”: [“T1086”, “T1059.001”]} |
Additionally, one can enhance the information sent to the back-end by defining a number of generic properties that will be sent along with the fields above. Any field listed under Common Event Properties, Network Event Properties, Image Load Event Properties, or Registry Event Properties can be used as a generic property.
List of Calculated Fields
Field | Description | Data type | Unit | Example | Where available |
---|---|---|---|---|---|
EventTypeName | Names for event types based on the lookup lookup_process_tagging_eventtype . Can be Process.Start , Process.Stop , Image.Load , Net.Connect , Net.Receive , Net.Reconnect , Net.Retransmit , Net.Send , Reg.Key.Create , Reg.Value.Write , Reg.Delete , Reg.Key.Delete , Reg.Value.Delete , Reg.Key.SecurityChange , Reg.Key.Rename ,Reg.Key.SetInformation , Reg.Key.Load , Reg.Key.Unload , Reg.Key.Restore , Reg.Key.Save , Reg.Key.Replace , Reg.Any , Dns.Query , Process.CreateRemoteThread , Process.TamperingEvent or Net.Any . |
String | Process.Start | Splunk data model, Splunk SPL | |
ProcUser |
coalesce (ProcUserExpanded, ProcUser) . |
String | Domain\JohnDoe | Splunk data model | |
User |
ProcUser . |
String | Domain\JohnDoe | Splunk data model | |
TimestampMs |
_time * 1000. |
Number | ms | 1585913547467 | Splunk data model |
RuleAnnotation.mitre_attack.id | One or more MITRE ATT&CK® IDs for the event. The source is the field RuleAnnotation. | String | T1086 T1059.001 |
Splunk data model, Splunk SPL |
Share
Share
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.