Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

Release

Sigma Integration v2: State-of-the-Art Threat Detections for uberAgent ESA

  • by Sven Scharmentke
  • November 15, 2023

In this article

We’re thrilled to unveil the second generation of our Sigma to uberAgent ESA rule converter. pySigma-backend-uberAgent is a brand-new backend plugin that adds uberAgent support to Sigma’s second generation rule converter tool, sigma-cli, and the Python library it’s based on, pySigma.

What Is Sigma?

Sigma is an open signature format that allows security researchers and analysts to describe their detection methods in a generic, vendor-agnostic manner. Sigma is also a growing repository of peer-reviewed detection and hunting rules that can be converted to a variety of backends. One such backend is uberAgent ESA.

Sigma Rule Example

title: Detect start of powershell.exe
status: test
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: powershell.exe
    condition: selection

Sigma rules are written in YAML. The example above shows a simple rule that matches Windows process creation events where the executable’s name ends with powershell.exe.

Why a New Rule Converter?

Sigma’s existing rule converter, sigmac, has been marked as deprecated because its architecture proved too inflexible for the project’s growing success, which brought along the need for new detection rule capabilities. Specifically, adding modifiers such as cidr (IP range) or expand (variable expansion) would have been challenging to implement with the legacy converter sigmac.

New Converter → New Backend Plugins

Sigma’s new rule conversion library, pySigma, has a much more modular architecture than its predecessor. Unfortunately, it marks a breaking change in that it isn’t compatible with existing backend plugins. For that reason, we set out to create a new uberAgent backend plugin for Sigma’s shiny new converter. This new plugin is pySigma-backend-uberAgent.

Many New Rules

Many Sigma rules already make use of the additional capabilities of Sigma’s new converter. These rules couldn’t be converted with the legacy converter sigmac and had to be disabled in our conversion pipeline for uberAgent. With the switch to Sigma’s new pySigma converter, that restriction does not apply anymore, resulting in many more Sigma rules being available for uberAgent ESA.

Release Status of uberAgent’s Sigma Backend Plugin

pySigma-backend-uberAgent should show up in Sigma’s plugin directory soon; a pull request is on its way. Once that PR has been approved, the uberAgent backend plugin will show up in Sigma’s online rule converter, too.

Our own rule repository is being updated to incorporate the additional rules generated by v2 of the uberAgent backend plugin for Sigma, too, of course.

Conclusion

Launching our new rule converter is underway, modernizing the uberAgent configuration repository with new and updated rules from the leading open detection signature project. Our technological enhancements go beyond mere updates; we’ve introduced new capabilities tailored to uberAgent ESA’s threat detection event types, such as file system monitoring.

Here’s a snapshot of the new event types now supported:

  • File delete: 12/12 rules
  • File read: 5/5 rules
  • File rename: 2/2 rules
  • File create: 150/150 rules
  • File write: 1/2 rules

Moreover, with the release of uberAgent 7.1, we’ve expanded the reach of uberAgent ESA’s Threat Detection Engine to macOS. We’re positively thrilled that we achieved 100% coverage for all macOS rules available in the Sigma project. Stay tuned for a detailed breakdown of what’s currently supported and a glimpse into what we have in store next!

For a more comprehensive overview of the changes and new capabilities in uberAgent 7.1, read the release blog post.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Comments

Your email address will not be published. Required fields are marked *

Related Posts

December 18, 2023

We've released a web app that lets you see exactly which Sigma detection signatures are supported in uberAgent ESA's Threat Detection Engine.
December 7, 2023

Learn how uberAgent ESA’s Security Score enables help desk engineers to improve endpoint security by detecting insecure configurations and risky activity.
November 30, 2023

We're making exciting improvements to uberAgent ESA’s Threat Detection rules. These upcoming changes increase the rule engine’s performance, enhance the readability of rule queries, and simplify day-to-day operations.
All posts