uberAgent 6.2: Persistent Output Queue, Process Tampering Detection
We are happy to announce the newest version of our user experience monitoring & endpoint security analytics product. uberAgent 6.2 introduces the persistent output queue, which guarantees that no events are lost in transit, and comes with a ton of improvements for UXM and ESA.
uberAgent’s persistent output queue (POQ) buffers the generated events on the endpoint’s disk before the agent attempts to send them to the backend. Only when an event has been delivered successfully is it removed from the POQ’s buffer.
The persistent output queue ensures that no data is lost even in situations where the backend is unavailable for prolonged periods of time. The most important use case for the POQ is with laptops.
On mobile devices, uberAgent was traditionally coupled with Splunk’s Universal Forwarder due to UF’s persistent queue functionality. With uberAgent’s new built-in persistent output queue, it’s not necessary anymore to deploy Universal Forwarder just for its disk buffering feature.
See this blog post for details on the persistent output queue.
Introduced with uberAgent 6.1, Citrix Cloud monitoring is uberAgent’s capability to monitor the Citrix Virtual Apps and Desktops (CVAD) control plane in Citrix Cloud (announcement). Since the original release, we’ve been hard at work improving the speed and reliability of the queries to Citrix Cloud. The result is a fast and resilient Citrix Cloud connection that supports the latest API changes introduced by Citrix (e.g., pagination).
uberAgent ESA now detects remote thread creation (a form of code injection) and multiple process tampering techniques (process hollowing, herpaderping, doppelganging). All the relevant event properties are available via the Activity Monitoring Engine. See this blog post for details.
While uberAgent had CIM support for a long time, we have extended the integration greatly with uberAgent 6.2. If you are used to working with Sysmon data in ES, you will notice no difference when switching to uberAgent. uberAgent supports all CIM fields populated by popular Sysmon add-ons found in Splunkbase, and more!
See this blog post for details on uberAgent’s Splunk Enterprise Security integration.
uberAgent’s macOS agent has learned many new tricks, including:
- Application crash reporting.
- Network monitoring now includes the remote (target) name in addition to the IP address.
- DNS query monitoring.
- Improved detection of SSH sessions.
uberAgent 6.2 comes with dozens of additional improvements and fixes, e.g.:
- The converted Sigma ruleset has been updated and now supports more categories.
- Authenticode signature verification improvements.
- Further optimized the network monitoring driver for even higher throughput.
uberAgent is an innovative Windows and macOS user experience monitoring (UXM) and endpoint security analytics (ESA) product. UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. ESA comes with a sophisticated activity monitoring engine, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification.
vast limits GmbH is the company behind uberAgent, the innovative user experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.