uberAgent 6.2 Preview: Splunk Enterprise Security Integration
While we’re finalizing version 6.2 of our user experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at a cool new feature: Splunk Enterprise Security integration.
Splunk Enterprise Security
Enterprise Security (ES) is Splunk’s analytics-driven SIEM solution that gives you the ability to quickly detect and respond to internal and external attacks. It improves security operations, offers risk-based alerting, and gives you investigative tools for fast response.
ES works with data sources from many different vendors. This diverse data set needs to be normalized to allow users to search and interact with it in a standardized way. Splunk uses the CIM data model to achieve that.
uberAgent’s CIM Implementation
While uberAgent had CIM support for a long time, we have extended the integration greatly with uberAgent 6.2. If you are used to working with Sysmon data in ES, you will notice no difference when switching to uberAgent. uberAgent supports all CIM fields populated by popular Sysmon add-ons found in Splunkbase, and more!
The following data models and datasets are available with uberAgent 6.2:
- Endpoint
- Filesystem
- Processes
- Registry
- Malware
- Malware_Attacks
- Change
- Endpoint_Changes
- Network Resolution (DNS)
- DNS
How To Connect uberAgent and Enterprise Security
When building an ES integration, the hard part is to map the fields in the data source to the corresponding fields in the CIM data model. The good news: we already did this for you!
To connect uberAgent with Splunk ES, follow these steps:
- Install Splunk ES
- Install uberAgent
- Make sure uberAgent’s UXM and ESA Splunk dashboard apps are installed on the same search heads as ES
That’s it! Everything else works out of the box, including the population of dashboards such as the one in the screenshot at the top of this article.
About uberAgent
The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.
uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.
uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.
About vast limits
vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.
