uberAgent 6.1 Preview: Event Data Filtering on the Endpoint
While we’re finalizing version 6.1 of our user experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at one of the coolest new features: the ability to filter events with a full-blown query language right on the endpoint.
I’ll dive into the details in just a minute, but let me start with a tiny bit of recent history. With the release of uberAgent 6.0 we had this wonderfully powerful yet lightweight query language in our hands. We started to think about other use cases for the uAQL technology. It wasn’t long before we found one: sourcetype event data filtering. It was a perfect match.
Sourcetype filtering, as we call it, allows you to define conditions that are evaluated for every event before it is sent to the backend. If the condition evaluates to
true, the event is sent. If the condition evaluates to
false, the event is ignored.
This filtering happens on the endpoint and it is extremely efficient. You could define hundreds of filtering rules and still not see a degradation in agent performance.
You might wonder which of uAQL’s capabilities you can use with sourcetype filtering. The answer is simple: all of them! And you can make use of all the fields of the current event, too. If the sourcetype in question contains a user name field, you can filter based on users. If the sourcetype contains application name and version fields, you can filter based on applications, including only specific versions, for example. The possibilities are endless! Please see the event data filtering documentation for details.
Depending on your requirements, you might only need a subset of the events generated by uberAgent for certain sourcetypes. Filtering out unnecessary data at the endpoint may reduce the data volume significantly (see the documentation for other ways to reduce the data volume).
Consider a simple example: every time a
cmd.exe console process is started on Windows, an accompanying console host process is started too. These
conhost.exe processes are rarely of interest. Removing them is often the most efficient choice.
Some sourcetypes have fields with data that may be considered sensitive in nature, such as window titles. Sourcetype filtering allows you to clear such fields, on the endpoint, before the data is sent to the backend for storage and indexing.
One of the features requested by our customers was the ability to clear fields with sensitive data for specific users only. This is easily possible with sourcetype filtering!
If you’ve worked with uberAgent before you know that it has allowlists and denylists for many different sourcetypes. How does this new filtering capability play along with those existing lists?
The new sourcetype filtering supersedes existing allowlists and denylists. The new capabilities are so much more powerful and flexible that there is no need for the older filtering lists any more. However, we want to provide a smooth migration path. For that reason, we will mark the old allowlists and denylists as deprecated but keep them around for a while. Eventually, they will be removed from the product.
uberAgent is an innovative Windows and macOS user experience monitoring and endpoint security analytics product. Its highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance per website, and remoting protocol insights.
vast limits GmbH is the company behind uberAgent, the innovative user experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.