Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at


uberAgent 6.1 Preview: Event Data Filtering on the Endpoint

  • by Helge Klein
  • March 30, 2021

While we’re finalizing version 6.1 of our user experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at one of the coolest new features: the ability to filter events with a full-blown query language right on the endpoint.

I’ll dive into the details in just a minute, but let me start with a tiny bit of recent history. With the release of uberAgent 6.0 we had this wonderfully powerful yet lightweight query language in our hands. We started to think about other use cases for the uAQL technology. It wasn’t long before we found one: sourcetype event data filtering. It was a perfect match.

What Is This?

Sourcetype filtering, as we call it, allows you to define conditions that are evaluated for every event before it is sent to the backend. If the condition evaluates to true, the event is sent. If the condition evaluates to false, the event is ignored.

This filtering happens on the endpoint and it is extremely efficient. You could define hundreds of filtering rules and still not see a degradation in agent performance.

You might wonder which of uAQL’s capabilities you can use with sourcetype filtering. The answer is simple: all of them! And you can make use of all the fields of the current event, too. If the sourcetype in question contains a user name field, you can filter based on users. If the sourcetype contains application name and version fields, you can filter based on applications, including only specific versions, for example. The possibilities are endless! Please see the event data filtering documentation for details.

Why Would You Want to Use It?

Data Volume Reduction

Depending on your requirements, you might only need a subset of the events generated by uberAgent for certain sourcetypes. Filtering out unnecessary data at the endpoint may reduce the data volume significantly (see the documentation for other ways to reduce the data volume).

Consider a simple example: every time a cmd.exe console process is started on Windows, an accompanying console host process is started too. These conhost.exe processes are rarely of interest. Removing them is often the most efficient choice.

Sensitive Data Removal

Some sourcetypes have fields with data that may be considered sensitive in nature, such as window titles. Sourcetype filtering allows you to clear such fields, on the endpoint, before the data is sent to the backend for storage and indexing.

One of the features requested by our customers was the ability to clear fields with sensitive data for specific users only. This is easily possible with sourcetype filtering!

What About Existing Allowlists & Denylists?

If you’ve worked with uberAgent before you know that it has allowlists and denylists for many different sourcetypes. How does this new filtering capability play along with those existing lists?

The new sourcetype filtering supersedes existing allowlists and denylists. The new capabilities are so much more powerful and flexible that there is no need for the older filtering lists any more. However, we want to provide a smooth migration path. For that reason, we will mark the old allowlists and denylists as deprecated but keep them around for a while. Eventually, they will be removed from the product.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.


Your email address will not be published. Required fields are marked *