Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at


Sigma Rule Coverage Explorer Released

  • by Helge Klein
  • December 18, 2023

In our habitual spirit of transparency and openness, we have released a web app that lets you see exactly which Sigma detection signatures are supported in uberAgent ESA’s Threat Detection Engine.

TL;DR: take a look at uberAgent Sigma Rule Coverage Explorer.

What is uberAgent Sigma Rule Coverage Explorer?

As we explained in this recent blog post about v2 of our Sigma integration, we’re going to great lengths to make Sigma signatures available for uberAgent ESA’s Threat Detection Engine via a backend plugin for Sigma’s rule converter. We’re working hard to get to supporting 100% of Sigma’s feature set. To document our progress, we’ve developed the Sigma Rule Coverage Explorer app so that everybody can see where we stand.

Why Sigma?

Sigma is the leading open detection signature project. It excels with its open signature format that allows security researchers and analysts to describe their detection methods in a generic, vendor-agnostic manner. Sigma is also a growing repository of peer-reviewed detection and hunting rules that can be converted to a variety of backends.

Why a rule coverage explorer app?

One part of the answer is openness. We believe that, in the long term, it benefits everybody involved to be able to determine a product’s capabilities easily. We’re proud of what we have to offer, and we like to show the cool things uberAgent can do. But we’re not in the business of selling the (non-existent!) one product that does it all. Transparency FTW.

The other part, we’re not ashamed to admit, is selfishness. The Rule Coverage Explorer app has a section that lists the fields not yet supported by uberAgent, along with the number of Sigma rules making use of such fields. This statistic is very helpful for us in determining which features to add to our query language uAQL next.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.


Your email address will not be published. Required fields are marked *