Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at


How uberAgent ESA Complements EDR Products

  • by Helge Klein
  • January 11, 2022

Should you wear both belt and suspenders? When it comes to IT security, the answer is most likely yes. No single product can detect all threats, prevent all exploits, or block all attacks. This article explains why it is often beneficial to complement an EDR tool with an analytics product such as uberAgent ESA.

Shortcomings of EDR Products

Detection Gaps

Nobody’s perfect. As stated above, no EDR product detects and blocks all threats. Quite the contrary, EDR often has alarming gaps. As the independent researchers George Karantzas and Constantinos Patsakis found in their EDR study, no EDR can efficiently detect and prevent the […] attack vectors we deployed. That is not all. As the scientists explain, “DLL sideloading attack is the most successful attack as most EDRs fail to detect, let alone block it.”

In addition to the above, EDR is often focused on executables and may ignore scripts, documents, or compressed files. Finally, it’s often unclear what exactly an EDR product can detect.


Most EDR vendors don’t document how their detections work and what exactly is logged. Wanting to protect one’s “secret sauce” may seem like a good move until you consider that it leaves customers in the dark about a product’s capabilities (which may even be intentional in some cases). Unfortunately, obscurity on the vendor’s part may lull customers into a false sense of security, believing they’re protected when in reality they’re not.

Focused Solely on Malicious Events

With their strong focus on detecting and blocking malicious events, EDR products fail to provide visibility into “normal” application (or user) behavior. This information gap makes it hard to detect outliers and anomalies, a task typically performed by analysts with the help of a SIEM.

Suboptimal SIEM Integration

In many cases, it’s more complicated than it should be to get EDR data into a SIEM such as Splunk. Sometimes, there’s a significant time lag before data shows up at the SIEM, delaying alerts and notifications.


With many EDR products, creating custom rules or tweaking built-in detection logic can be difficult or time-consuming.

Why a Second Data Source Is Invaluable for Endpoint Security

Second Opinion & Sanity Checking

Given the shortcomings of EDR products, feeling the need to verify the data being collected by the EDR is only natural. Also, you may want a fail-safe for situations where the EDR either doesn’t detect a threat or malicious actors disable the EDR altogether.

Better SIEM Integration

SIEMs need high-quality data to be useful. There are not many data sources with a good signal-to-noise ratio on Windows or macOS. Simply forwarding event logs is not enough: they’re too noisy and lack essential detail such as parent processes or command-line arguments.


The opaqueness of EDR detections needs to be counterbalanced by a transparent, rule-based approach. You want to know what you’re collecting, when, and why.

Visibility Into Normal Behavior

You require insights into more than what is deemed malicious events. You need data that helps you understand what is happening on endpoints during regular operations. Visibility into the day-to-day routine is the basis for all advanced analytics.

Benefits of uberAgent for Endpoint Security Analytics

One Agent

uberAgent uses a single agent for security analytics, performance monitoring, and user experience data collection. Engineered in Germany, uberAgent is renowned for its small footprint and its overall product quality.

Built for Splunk

uberAgent has been built and optimized for Splunk from day one. It comes with feature-rich Splunk apps as well as perfect integration with Splunk Enterprise Security.


Sigma & Sysmon Rule Converters

uberAgent ships with rule converters for the two most popular free endpoint analytics tools: Sigma and Sysmon. The former translates Sigma signatures into the format used by uberAgent ESA, while the latter does the same for Sysmon rules.

SIEM Backend Support

With support for four different backends, uberAgent can be integrated into almost any SIEM infrastructure. The agent can directly send the collected data to Splunk, Elasticsearch, Apache Kafka, and Azure Monitor.


uberAgent’s Threat Detection Engine is built around uAQL, a powerful event query language. Whenever a Threat Detection rule matches suspicious or unusual behavior, the endpoint agent generates an event in your SIEM.

Although requiring only minimal resources on the endpoint, uAQL fully supports all aspects of the Sigma and Sysmon rule specifications, making it possible to convert them without losing fidelity.

Scalability & Flexibility

Our largest customers have deployed uberAgent to 100,000+ endpoints – each (more information). This shows that there are no built-in limitations in the product’s architecture. It also demonstrates that uberAgent is inherently flexible in how it can be configured and deployed. After all, organizations with hundreds of thousands of endpoints tend to have heterogeneous networks and complex requirements.


uberAgent ESA is probably the security product that collects the most detailed baseline of regular system activity. uberAgent’s digital employee experience monitoring component includes application activity, user sessions, network connections, and browser communications, to name a few.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.


Your email address will not be published. Required fields are marked *