Skip to main content

Windows and macOS

User Experience Monitoring & Endpoint Security Analytics

Try it!

Why uberAgent?

uberAgent is an innovative user experience monitoring and endpoint security analytics product for Windows and macOS.

  • Data quality

    uberAgent does not just collect data – it gives you the information that matters. Other monitoring products rely on the logs and counters built into the OS. uberAgent has its own metrics, covering key aspects of UX and security.

  • User experience monitoring

    Logon duration, application unresponsiveness, network reliability, process startup, web app usage, application inventory, remoting protocol insights, application performance, VM sizing, and much more.

  • Endpoint security analytics

    MS Office macros, DNS query monitoring, Authenticode verification, LOLBAS detection, Sigma signatures, process image file hashing, extensible ruleset, and uAQL query language on the endpoint security analytics side, and much more.

  • Physical & virtual

    uberAgent tells you everything you need to know about physical machines, virtual desktops, Apple macOS, Citrix, or VMware without affecting your systems’ user density. Whether it’s PCs, laptops, SBC, VDI, or RDS: uberAgent covers it all.

  • Lightweight agent

    A single agent for user experience monitoring and security analytics. uberAgent’s endpoint agent has been heavily optimized for minimal footprint and maximum efficiency.

  • Built for Splunk

    uberAgent is optimized for Splunk (but also works with Elastic, Azure Monitor, or Apache Kafka as backend). uberAgent comes with 60+ Splunk dashboards that visualize the collected data.

  • Unlimited scalability

    uberAgent scales to 100,000s of endpoints. Our enterprise customers are deploying uberAgent to their entire fleet of desktops, laptops, and VMs.

uberAgent Products

uberAgent UXM

uberAgent User Experience Monitoring (UXM) is the original uberAgent product. uberAgent UXM covers all aspects of user experience and application performance.

uberAgent is more than just monitoring. It is an indispensable tool for all phases of the IT lifecycle, from analysis to design, implementation, operations, and troubleshooting. uberAgent helps IT pros understand end-users without invading their privacy.

UXM is for

  • Application performance
  • User Experience

uberAgent ESA

uberAgent Endpoint Security Analytics (ESA) is the newer uberAgent product. uberAgent ESA adds deep security visibility to the rich UX and performance metrics collected by uberAgent UXM.

uberAgent ESA and uberAgent UXM are deeply integrated. Both products combined require only a single endpoint agent.

uberAgent ESA cannot be licensed individually, it requires an uberAgent UXM license.

ESA is for

  • Endpoint security
  • Threat hunting

uberAgent Features

User Logon Duration

uberAgent not only tells you if your logon times are good or bad. It shows you exactly where the time is spent.

  • Is it the user profile loading slowly?
  • Has the logon script become too big?
  • Is Group Policy being processed efficiently?

Learn more

Network Monitoring per Application

Oftentimes when applications are performing badly the root cause is an overloaded backend server. Such issues are hard to diagnose. uberAgent makes it a lot easier by collecting vital KPIs like latency, jitter, and packet loss – per application.

uberAgent also monitors network quality, detects blocked ports and calculates network availability.

Learn more

Activity Monitoring Engine

uberAgent ESA Activity Monitoring makes system activity traceable and searchable. Its comprehensive, extensible ruleset is powered by uAQL, a feature-rich query language that is both easy to read by humans and fast to process by computers.

When an Activity Monitoring rule matches a risky process, an unusual network connection, or similar activity, uberAgent ESA creates an event in your SIEM (e.g., Splunk).

Learn more

Application Reliability

Application stability and performance are crucial for user experience. With uberAgent, you can measure both!

  • Application UI unresponsiveness tracks when application UIs are not responding to user input.
  • Application performance determines the resource utilization of all the components that make up an application combined.
  • Application errors pinpoints what’s wrong – and who is affected.

Learn more

Web App Performance

Browsers have become operating systems of their own, running dozens or even hundreds of web apps concurrently, one app per tab.

It is no longer sufficient to gather performance data for the browser as a whole. IT needs to be able to identify business-critical web apps, monitor response times and data flows.

Learn more

Application Usage & Inventory

uberAgent easily answers difficult questions, both for traditionally installed and web apps:

  • How many licenses do we need for application X?
  • How many applications do we have in total?
  • Which applications are used where, and when?

Learn more

A quick intro

Watch the video

This video explains in 3 minutes why every end-user computing deployment needs uberAgent, be it physical PCs, virtual desktops, Citrix CVAD, VMware Horizon, or Microsoft AVD.

All videos

More uberAgent Features

Citrix Cloud

Citrix Cloud monitoring is uberAgent’s capability to monitor the Citrix CVAD control plane in Citrix Cloud. It collects information such as:

  • Published applications
  • Desktops & desktop groups
  • Machines & catalogs
Application Identification

Tired of deciphering cryptic process names? We thought so. Process names are for machines, application names are for humans.

uberAgent’s automatic application identification does not require configuration – and it even works with Windows services, App-V, Java and UWP applications. On macOS, even XPC services and privileged helper tools are covered.

Experience Score

The experience score dashboard is the entry point of the uberAgent UXM Splunk app. It calculates and visualizes experience scores for the entire estate, breaking the data down by category and component, highlighting components where potential issues are originating from. The dashboard also provides quick access to important KPIs like logon duration, application responsiveness, or application errors.

MS Office & Acrobat Reader

uberAgent ESA comes with preconfigured rules that detect suspicious behavior with MS Office applications and Adobe Acrobat Reader such as:

  • Child process creation
  • Download operations
  • Macro execution
  • Suspicious DLLs
System Boot Performance

Boot duration is often equivalent to the number of disk IOs – if you want fast boots you need to reduce the IO count. And uberAgent shows you just what you need to know to do that.


LOLBAS stands for Living Off the Land Binaries And Scripts, a type of activity that misuses tools and executables that are already there because they are part of the operating system. uberAgent ESA detects LOLBAS activity such as:

  • Unusual child processes and DLL loads
  • Starts from non-default locations
  • Download operations
  • Execution from alternate data streams
User Session Footprint

When sizing an SBC farm you need reliable data about RAM, CPU, and disk usage per user session. Such data can be hard to come by. With uberAgent, it is but a dashboard away.

Works with:

  • Citrix Virtual Apps and Desktops
  • VMware Horizon
  • Azure Virtual Desktop (AVD)
  • Nutanix Frame
Suspicious Network Activity

uberAgent ESA detects suspicious behavior related to network operations such as:

  • PowerShell outbound network connections
  • RDP connects from non-RDP software indicating lateral movement
  • Network connects to suspicious ports
File System Permissions

uberAgent ESA has sophisticated features that greatly facilitate working with security descriptors (SDDL strings). uberAgent detects detect processes started from directories that are user-writable and process starts from directories with a low mandatory integrity label.

Citrix CVAD Sites

uberAgent detects if it is running on a Citrix Delivery Controller (DDC) or a Citrix Virtual Desktop Agent (VDA). On DDCs, uberAgent automatically activates additional metrics like machine registration status, license usage, and published application inventory.

Sigma Rule Converter

Sigma is an open-source project that collects generic signatures for SIEM systems. vast limits contributes a rule converter to the ESA Activity Monitoring rule format. This makes it possible to enable hundreds of additional detection rules simply by including another configuration file.

WiFi Connections

uberAgent’s WiFi connection monitoring keeps track of the relevant quality and security parameters of the WiFi network through which a user’s endpoint is connected to the internet and/or the corporate network.

Root CA Certificates

uberAgent ESA detects changes to root CA certificates such as certificate chain cloning and cloned root trust attacks.

SSH Sessions

uberAgent detects incoming SSH connections to macOS endpoints. Every SSH connection is given a unique identifier. Any processes that are executed within the SSH session are associated with it.

DNS Queries

DNS query monitoring tracks all outgoing DNS requests on the endpoints where uberAgent is installed. This makes it possible to detect data exfiltration via DNS, a powerful technique because it does not require a direct network connection between the source and target hosts.

Persistent Output Queue

Disk buffering via uberAgent’s persistent output queue ensures that no data is lost even in situations where the backend is unavailable for prolonged periods of time. The most important use case is with laptops.

uAQL Query Language

uAQL is a query language that is powerful yet efficient and easy to read. uAQL queries are used by the endpoint agent for ESA Activity Monitoring rules and for event data filtering.

User & Host Tags

Collect additional user or machine identifiers from Active Directory, the registry, or from environment variables.

Authenticode Signatures

uberAgent verifies the digital signature of each EXE/DLL that is executed or loaded into memory. uberAgent checks many properties of the signature, including the full chain of certificates.

Custom Scripts

uberAgent can collect data for arbitrary custom metrics through a generic script execution engine. It runs any type of script at any desired interval, either per machine or per user session.

Remote Thread Creation

Remote thread creation monitoring collects detailed information for any remote thread code injection event, including source & target process and the function that was called.

Event Data Filtering

Event data filtering allows defining rules that are evaluated for every event before it is sent to the backend. Rules control whether the event is sent to the backend or not. Additionally, rules can be used to clear the contents of fields.

Splunk Enterprise Security Integration

uberAgent supports all CIM fields populated by popular Sysmon add-ons. Data models include Endpoint, Malware, Change, and Network Resolution (DNS).

Configuration via Group Policy or Config File

uberAgent can be configured by means of a configuration file (all platforms) or via Group Policy (Windows).

Image File Hashing

Whenever a process is started or a DLL is loaded, uberAgent ESA calculates the hash of the file located on disk. uberAgent supports the hash variants MD5, SHA-1, SHA-256, and ImpHash both individually and simultaneously.

Citrix ADC

With Citrix ADC monitoring, uberAgent collects appliance & gateway performance, utilization, and inventory data from Citrix Application Delivery Controllers.

Scheduled Tasks

uberAgent ESA monitors changes to Windows scheduled tasks. Whenever a task is created, updated, or deleted, uberAgent generates an event with all available details. This includes properties that are not displayed in the Windows Task Scheduler UI, such as COM actions or custom triggers.

GPU Acceleration

As it becomes more and more common to utilize the GPU for effects, video decoding and even general-purpose computing administrators need a tool that helps them understand exactly how their applications make use of GPU acceleration in order to optimally size the hardware for the workload. uberAgent is that tool.

Process Tree

uberAgent ESA comes with a powerful Process Tree dashboard that makes it easy to identify a process’ descendants, listing important process properties such as the process lifetime, the command line, the elevation status, or the name and version of the application the process is a part of.

Eval & Community Licenses

We have multiple types of free licenses: eval licenses for PoCs, community licenses for smaller deployments, NFR licenses for partners and bloggers.

Request your free license

Demos, PoCs & Quotes

Our solution partners are competent both with uberAgent and with Splunk. They are happy to assist you with product demos, PoCs, customizations as well as quotes and pricing.

Find a partner

Any Questions?

Do you want to know more about uberAgent? Ask us, we are always happy to help!

Contact us

Success Stories

uberAgent makes user experience measurable

Frederik von Rüden
Unit Head Virtual Workplace Solutions, GOSP

Ready-made graphs and commonly needed metrics available out of the box.

Jesse Harris
Infrastructure Analyst, USC

uberAgent not only shows that issues are very often not Citrix's fault, it also helps to find the root cause of a bad user experience.

Sacha Thomet
Systems Engineer and CTP, Die Mobiliar

uberAgent is easy and intuitive to use. It was a great help with sizing and troubleshooting our VDI environment.

Tiemon de Vries
Systems Engineer, Martini Ziekenhuis

uberAgent is easy to install and manage, unobtrusive, and an invaluable source of information on what happens on our client stations.

Luc Dekens
Systems Engineer, MUAC