Digital Employee Experience & Endpoint Security Analytics

Experience Score

The experience score dashboard is the entry point of the uberAgent UXM Splunk app. It calculates and visualizes experience scores for the entire estate, breaking the data down by category and component, highlighting components where potential issues are originating from. The dashboard also provides quick access to important KPIs like logon duration, application responsiveness, or application errors.

MS Office Security

uberAgent ESA comes with preconfigured rules that detect suspicious behavior with MS Office applications, such as:

• Child process creation
• Download operations
• Macro execution
• Suspicious DLLs

Citrix Sessions

uberAgent provides unprecedented visibility into what’s happening in Citrix CVAD user sessions: bandwidth usage, protocol latency, Citrix policies, video encoding settings, and much more.

Application Identification

Tired of deciphering cryptic process names? We thought so. Process names are for machines, application names are for humans.

uberAgent’s automatic application identification does not require configuration – and it even works with Windows services, App-V, Java and UWP applications. On macOS, even XPC services and privileged helper tools are covered.

Suspicious Network Activity

uberAgent ESA detects suspicious behavior related to network operations such as:

• PowerShell outbound network connections
• RDP connects from non-RDP software indicating lateral movement
• Network connects to suspicious ports

User Session Footprint

When sizing an SBC farm you need reliable data about RAM, CPU, and disk usage per user session. Such data can be hard to come by. With uberAgent, it is but a dashboard away.

Works with:

• Citrix Virtual Apps and Desktops
• VMware Horizon
• Azure Virtual Desktop (AVD)
• Nutanix Frame

Citrix Cloud

Citrix Cloud monitoring is uberAgent’s capability to monitor the Citrix CVAD control plane in Citrix Cloud. It collects information such as:

• Published applications
• Desktops & desktop groups
• Machines & catalogs

LOLBAS

LOLBAS stands for Living Off the Land Binaries And Scripts, a type of activity that misuses tools and executables that are already there because they are part of the operating system. uberAgent ESA detects LOLBAS activity such as:

• Unusual child processes and DLL loads
• Starts from non-default locations
• Download operations
• Execution from alternate data streams

File System Permissions

uberAgent ESA has sophisticated features that greatly facilitate working with security descriptors (SDDL strings). uberAgent detects detect processes started from directories that are user-writable and process starts from directories with a low mandatory integrity label.

System Boot Performance

Boot duration is often equivalent to the number of disk IOs – if you want fast boots you need to reduce the IO count. And uberAgent shows you just what you need to know to do that.

Sigma Rule Converter

Sigma is an open-source project that collects generic signatures for SIEM systems. vast limits contributes a rule converter to the ESA Threat Detection rule format. This makes it possible to enable hundreds of additional detection rules simply by including another configuration file.

Citrix CVAD Sites

uberAgent detects if it is running on a Citrix Delivery Controller (DDC) or a Citrix Virtual Desktop Agent (VDA). On DDCs, uberAgent automatically activates additional metrics like machine registration status, license usage, and published application inventory.

WiFi Connections

uberAgent’s WiFi connection monitoring keeps track of the relevant quality and security parameters of the WiFi network through which a user’s endpoint is connected to the internet and/or the corporate network.

uAQL Studio

uAQL Studio is a free online tool to learn, build and test uberAgent ESA Threat Detection rules.

Root CA Certificates

uberAgent ESA detects changes to root CA certificates such as certificate chain cloning and cloned root trust attacks.

SSH Sessions

uberAgent detects incoming SSH connections to macOS endpoints. Every SSH connection is given a unique identifier. Any processes that are executed within the SSH session are associated with it.

DNS Exfiltration & Tunneling

DNS exfiltration & tunneling techniques are so dangerous because they abuse a core component of TCP/IP networks that is largely unmonitored and difficult to control: DNS. uberAgent’s agent-based DNS risk calculation and a Splunk dashboard focused on the detection of malicious DNS activity are two powerful weapons that help fight this threat.

Intelligent Disk Buffering

uberAgent’s persistent output queue ensures that no data is lost even in situations where the backend is unavailable for prolonged periods of time (e.g., when laptops are offline). Intelligent disk buffering minimizes disk IO by monitoring backend availability and bypassing the output queue on disk when the backend is reachable.

uAQL Query Language

uAQL is a query language that is powerful yet efficient and easy to read. uAQL queries are used by the endpoint agent for ESA Threat Detection rules and for event data filtering.

User & Host Tags

Collect additional user or machine identifiers from Active Directory, the registry, or from environment variables.

Authenticode Signatures

uberAgent verifies the digital signature of each EXE/DLL that is executed or loaded into memory. uberAgent checks many properties of the signature, including the full chain of certificates.

Custom Scripts

uberAgent can collect data for arbitrary custom metrics through a generic script execution engine. It runs any type of script at any desired interval, either per machine or per user session.

Remote Thread Creation

Remote thread creation monitoring collects detailed information for any remote thread code injection event, including source & target process and the function that was called.

Event Data Filtering

Event data filtering allows defining rules that are evaluated for every event before it is sent to the backend. Rules control whether the event is sent to the backend or not. Additionally, rules can be used to clear the contents of fields.

Splunk Enterprise Security Integration

uberAgent supports all CIM fields populated by popular Sysmon add-ons. Data models include Endpoint, Malware, Change, and Network Resolution (DNS).

Configuration via Group Policy or Config File

uberAgent can be configured by means of a configuration file (all platforms) or via Group Policy (Windows).

Image File Hashing

Whenever a process is started or a DLL is loaded, uberAgent ESA calculates the hash of the file located on disk. uberAgent supports the hash variants MD5, SHA-1, SHA-256, and ImpHash both individually and simultaneously.

Citrix NetScaler (ADC)

With Citrix NetScaler (ADC) monitoring, uberAgent collects appliance & gateway performance, utilization, and inventory data from Citrix Application Delivery Controllers.

Scheduled Tasks

uberAgent ESA monitors changes to Windows scheduled tasks. Whenever a task is created, updated, or deleted, uberAgent generates an event with all available details. This includes properties that are not displayed in the Windows Task Scheduler UI, such as COM actions or custom triggers.

GPU Acceleration

As it becomes more and more common to utilize the GPU for effects, video decoding and even general-purpose computing administrators need a tool that helps them understand exactly how their applications make use of GPU acceleration in order to optimally size the hardware for the workload. uberAgent is that tool.

Process Tree

uberAgent ESA comes with a powerful Process Tree dashboard that makes it easy to identify a process’ descendants, listing important process properties such as the process lifetime, the command line, the elevation status, or the name and version of the application the process is a part of.

Sysmon Rule Converter

Sysmon is one of the most popular endpoint detection tools. Numerous quality rulesets are maintained by the security community. With our converter, Sysmon rulesets can be used with uberAgent ESA.

Windows Performance Counters

In addition to its rich set of native metrics, uberAgent can collect data from any Windows performance counter. A Splunk dashboard provides visualizations and intuitive filtering.

MITRE ATT&CK Technique ID

uberAgent ESA Threat Detection rules come with MITRE ATT&CK technique ID annotations. The technique ID is visualized in the Splunk Enterprise Security Risk Analysis dashboard as well as in the dashboards of the uberAgent ESA Splunk app.

Helpdesk Splunk App

The uberAgent Helpdesk Splunk app provides a view of the data collected by uberAgent that is specifically formatted for help desk technicians. The app helps answer typical user questions quickly and efficiently.