Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at


uberAgent 6.2 Preview: Splunk Enterprise Security Integration

  • by Dominik Britz
  • September 9, 2021

While we’re finalizing version 6.2 of our user experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at a cool new feature: Splunk Enterprise Security integration.

Splunk Enterprise Security

Enterprise Security (ES) is Splunk’s analytics-driven SIEM solution that gives you the ability to quickly detect and respond to internal and external attacks. It improves security operations, offers risk-based alerting, and gives you investigative tools for fast response.

ES works with data sources from many different vendors. This diverse data set needs to be normalized to allow users to search and interact with it in a standardized way. Splunk uses the CIM data model to achieve that.

uberAgent’s CIM Implementation

While uberAgent had CIM support for a long time, we have extended the integration greatly with uberAgent 6.2. If you are used to working with Sysmon data in ES, you will notice no difference when switching to uberAgent. uberAgent supports all CIM fields populated by popular Sysmon add-ons found in Splunkbase, and more!

The following data models and datasets are available with uberAgent 6.2:

How To Connect uberAgent and Enterprise Security

When building an ES integration, the hard part is to map the fields in the data source to the corresponding fields in the CIM data model. The good news: we already did this for you!

To connect uberAgent with Splunk ES, follow these steps:

  1. Install Splunk ES
  2. Install uberAgent
  3. Make sure uberAgent’s UXM and ESA Splunk dashboard apps are installed on the same search heads as ES

That’s it! Everything else works out of the box, including the population of dashboards such as the one in the screenshot at the top of this article.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.


Your email address will not be published. Required fields are marked *