Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

Release

uberAgent 3.6: Experimental Support for Elasticsearch

  • by Helge Klein
  • March 23, 2016

In this article

In uberAgent 3.6 we have added experimental support for sending data directly to Elasticsearch. In addition to that, uberAgent now generates unique GUIDs for each process and user session. These can optionally be logged at process start along with the full path and command line. Being able to identify process instances by GUID is relevant particularly for security use cases because Windows reuses process and session IDs. This new release also contains several other improvements and bugfixes. As always, upgrading is highly recommended.

What is Elasticsearch?

Quoting Wikipedia:

Elasticsearch is a search server based on Lucene. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents. Elasticsearch is developed in Java and is released as open-source under the terms of the Apache License. Elasticsearch is the most popular enterprise search engine followed by Apache Solr, also based on Lucene.

uberagent - kibana

What Does “Experimental Support” Mean, Exactly?

uberAgent can now send data to Elasticsearch. To make that happen we added HTTP(S) data transport capabilities along with the necessary JSON formatting to enable Elasticsearch to correctly parse uberAgent data. At this point, that is it. Most notably, there are no dashboards. If you want to work with uberAgent for Elasticsearch, you need to create your own. Hint: most people use Kibana, but you probably know that already.

Why Support Elasticsearch?

Elasticsearch has made great progress in the past few years. It certainly is not as polished and perfectly integrated as Splunk, but it seems to be capable of handling uberAgent’s data quite well. With this experimental feature, we want to gauge interest. Is this something people want? Please let us know. Play with it, build upon it, use it!

Try it Out!

Here is a guide to help you get started installing and configuring Elasticsearch & Kibana.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Comments

Your email address will not be published. Required fields are marked *

Comments

When I read that you now have a ProcGUID in the ProcessStartup message I thought that you would also have this ProcGUID in the ProcessDetail message for the same exact reasons. Now that the ProcCmdline is also available in the ProcessStartup message I can evaluate, with a great deal of probability, which exact application call is being made and then with that new ProcGUID, if it were being sent in the ProcessDetail message, I could get ALL of the ProcessDetail(s) that pertain to that exact application call.
Is this currently possible? (with the UberAgent Version 3.6.0.1017)
If not can you add that without any great difficulty?

Reply

The Process GUID was not added to the Process Detail sourcetype because of data volume considerations. We may provide an option to optionally add it in a future version.

Reply

With uberAgent 3.7 the process GUID (ProcGUID) is added to the "uberAgent:Process:ProcessDetail" sourcetype if the configuration value EnableExtendedInfo is set to true.

Reply

If this will be included with dashboards you have a new customer! We are already using kibana and i have this test version sending informatie perfectly.

Reply

I was trying in testing ELastic with Uber, I was able to create the index uberagent* but I couldnt find the time field selection at “time”, I mean its graded out but am able to see the data in index but I cant choose the time interval since the time filed selection is not available.Any help would be really appreciated.

Reply

Grayed out fields usually mean that there is no data for this field. If you want to, you can open a support ticket at our website: https://support.uberagent.com/hc/en-us so it's easier to share detailed information about this topic.

Reply

Related Posts

December 18, 2023

We've released a web app that lets you see exactly which Sigma detection signatures are supported in uberAgent ESA's Threat Detection Engine.
December 7, 2023

Learn how uberAgent ESA’s Security Score enables help desk engineers to improve endpoint security by detecting insecure configurations and risky activity.
November 30, 2023

We're making exciting improvements to uberAgent ESA’s Threat Detection rules. These upcoming changes increase the rule engine’s performance, enhance the readability of rule queries, and simplify day-to-day operations.
All posts