Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at

Changelog and Release Notes

Version 7.2

New features

  • Agent [B883]: new supported backend: Azure Data Explorer (ADX) (via Azure Event Hubs).
  • Application hangs (macOS) [B846]: application hangs are now detected and reported under macOS.
  • Browsers [B638]: the Chrome/Firefox browser extensions have been rewritten to fully support Manifest V3 and improve performance as well as reliability.
  • Configuration [B600, B914]: credentials can now be securely retrieved from the operating system’s credential store.
  • Dashboards [B926]: added Japanese translation of the uberAgent ESA and uberAgent UXM Splunk dashboards.
  • Machine errors (macOS) [B847]: macOS kernel panics are now detected and reported.
  • Network monitoring (macOS) [B867]: loopback traffic monitoring. Can be enabled via IgnoreLoopbackTraffic in the [NetworkTargetPerformanceProcess_Config] stanza.
  • Security & Compliance Inventory (macOS) [B817]: the SCI feature is now supported on macOS.
  • Threat Detection Engine [B889]: TDE rule customization & postprocessing via the new stanza [ThreatDetectionRuleExtension].
  • uAQL [B568]: new operators regex and regex_envvars and their case-insensitive counterparts iregex, iregex_envvars that replace the uAQL functions regex_match and regex_match_path. The new builtin operators allow uberAgent to perform optimizations when using regular expressions in uAQL.


  • Agent (macOS): after the installation, the daemon is only started if an active configuration can be found. Configuration template files are no longer copied to the configuration directory automatically.
  • Application errors (macOS) [I1125]: crash reports are now also evaluated when automatically marked as retired.
  • Application inventory (macOS) [B554]: all installed applications on all locally mounted volumes as well as the user home directories are now reported.
  • Automatic application identification (macOS) [B700]: improved mapping for privileged helper tools and applications installed with a package manager.
  • Browsers [I597]: reduced performance impact of the browser extensions, especially for websites with many requests.
  • Central config file management [I1128]: enhanced robustness versus external tampering with the cache or its metadata.
  • Configuration [B890]: added support for multiline uAQL queries in configuration files.
  • Configuration [I1129]: new ConfigFlags setting POQTimeoutMs.
  • Machine inventory (macOS) [B719]: virtual machine detection now works on ARM-based machines.
  • Machine inventory (macOS) [B833]: uberAgent now reports warranty information.
  • Network monitoring (macOS) [I1081,I1083]: improve accuracy of the flow-specific data traffic metrics.
  • Process startup (macOS) [B820]: distinguishing between fork and exec events is now supported. It is shown on the Process Tree, Process Startup, and Application Startup dashboards.
  • Process startup and stop (macOS) [B916]: added new option EnableCdHash to support collection of the code directory hash.
  • Process stop (macOS) [B819]: the sourcetype uberAgentESA:Process:ProcessStop is now available on macOS.
  • Security Score Splunk dashboard [B872]:transferred SCI score calculation searches to separate index and improved overall dashboard performance.
  • Setup (Windows) [I1179]: copy optional Security Inventory files when deploying uberAgent on endpoints using the Splunk app uberAgent_endpoint.
  • Threat Detection Engine [B807]: the rule author is now shown on the Threat Detection Events dashboard to adhere to Sigma’s detection rule license.
  • Threat Detection Engine [B889]: added new common event property: uberAgent.Pid.
  • Threat Detection Engine (macOS) [B816]: added event properties for team id, signing id and SHA256 hash.
  • Threat Detection Engine (Windows) [I1104]: added new registry event properties Reg.EventType and Reg.TargetObject to match Sigma and Sysmon specifications.
  • uAQL [I1122]: enhanced error messaging for unreferenced variables, dynamic expressions, or functions, now specifically identifying the non-existent referenced item by name.


  • Agent (Windows) [I1166]: fixed a rare agent crash while retrieving machine inventory metrics.
  • Authenticode signature verification (Windows) [I1163]: fixed an issue that caused the current time to be used instead of the signing time.
  • Authenticode signature verification (Windows) [I1173]: fixed an issue that led to an incorrect result due to caching.
  • Boot duration (Windows) [I1119]: fixed an issue leading to incorrect PostBoot calculations in specific scenarios.
  • Citrix Cloud monitoring [I1186]: fixed query to check the existence of Citrix DaaS Remote PowerShell SDK.
  • Configuration [I1181]: SCI configuration changes are now monitored and trigger an agent restart.
  • Dashboards [B820]: the startup detail table on the Application Startup and Process Startup dashboards now correctly shows process starts on macOS.
  • Dashboards [I1150]: fixed incorrect token usage and a visualization issue on the Security Score dashboard when no SCI test description was found.
  • Dashboards [I1151]: aligned the hostinfo lookup across sourcetypes in props.conf to always output the same fields.
  • Dashboards [I1174]: the Security Score dashboard only displayed a maximum of ten SCI categories. Any additional categories were merged into “OTHER”.
  • Dashboards [I1178]: the overall score calculation on the Security Score dashboard did not match historical data.
  • Dashboards [I1182]: the filter option SessionUser led to faulty panels on the Session Scores dashboard.
  • GPU (Windows) [I515]: uberAgent now reinitializes GPU metrics in case of a graphics driver update.
  • Machine inventory (macOS) [I1138]: fixed missing virtualization status of physical machines.
  • Machine inventory (macOS) [I1160]: fixed incorrect values with the BatteryWearLevelPercent metric.
  • NetScaler [I1101]: fixed a bug where closing the NetScaler connection too early resulted in no further data being collected.
  • Network monitoring (macOS) [I1082]: incoming and outgoing packet counts now both only count packets with a payload. This was previously only the case for outgoing packets.
  • Network monitoring (macOS) [I1097]: network flows with unknown transport protocols (other than TCP/UDP) are now ignored.
  • Network monitoring (macOS) [I1118]: fixed faulty calculation of TCP retransmission count in sourcetype NetworkTargetperformance.
  • Network monitoring (Windows) [I1110]: uberAgent’s network driver could slow down network transfers or freeze the system with many incoming UDP packets in high-throughput environments.
  • Process monitoring (macOS) [I1133]: the ProcCPUTimeMs and SessionCPUTimeMs metrics are now reported as a delta for the current measurement interval instead of an absolute value.
  • Process monitoring (Windows) [I1141]: ProcessTampering no longer gets disabled when Hashing and Authenticode are turned off.
  • Registry monitoring [I1142]: prevent handling empty registry keys causing the log message: Failed to retrieve HIVE of.
  • Custom scripts (Windows) [I1116]: scripts couldn’t be started as SYSTEM in user sessions (UserSessionAsSystem).
  • uAQL [I1113]: fixed handling of improperly bracketed expressions and arrays that previously did not generate syntax errors.
  • uAQL [I1127]: fixed a possible crash on faulty queries.

Release notes

  • Browsers (Windows) [I1194]: the Chrome extension doesn’t work properly due to an error in the uAInSessionHelperChrome.json file (located in %PROGRAMFILES%\vast limits\uberAgent). To fix this issue, add a slash (/) at the end of the chrome-extension value. The correct value is: chrome-extension://jghgedlkcoafeakcaepncnlanjkbinpb/.
  • Dashboards [B924]: removed the deprecated dashboard Session Info:VMware in uberAgent UXM.
  • Libraries [B919]: updated third-party libraries to the following: Boost 1.84, {fmt} 10.2.1, JSON for Modern C++ 3.11.3, libcurl 8.5.0 (Windows).
  • NetScaler [B877]: renamed the Citrix ADC dashboards to NetScaler.
  • Setup (Windows) [I1171]: updated WiX Toolset to version 3.14.1.
  • Sourcetype (macOS) [B820]: uberAgent:Process:ProcessStartup has a new field: StartupEventSource.
  • Sourcetype (macOS) [B833]: uberAgent:System:MachineInventory has a new field: CoverageEndDate.
  • Sourcetype (macOS) [B916]: uberAgent:Process:ProcessStartup has a new field: CdHash.
  • Sourcetype (macOS) [B916]: uberAgentESA:Process:ProcessStop has a new field: CdHash.
  • Sourcetype (macOS) [B847]: new sourcetype uberAgent:System:MacOsErrors with fields: KernelBugType, KernelBuild, KernelCrashReporterKey, KernelErrorType, KernelIncident, KernelPanicFlags, KernelPanicString, KernelProduct, KernelVersion.
  • Splunk CIM [I1101]: changed the method from EXTRACT to EVAL for the fields src_nt_domain and user in the Authentication data model to work around a Splunk bug.
  • Splunk CIM [I1101]: the Authentication data model has new field(s): dest.
  • Splunk CIM [I1101]: the Inventory data model has new field(s): cpu_mhz, cpu_cores, cpu_count, status.
  • Splunk CIM [I1101]: the Network Traffic data model has new field(s): user.
  • Splunk CIM [I1101]: the Updates data model has new field(s): dvc, file_name, status, vendor_product.
  • Splunk data models [B872]: added the uberAgent ESA data model uberAgentESA_Score with the dataset uberAgentESA_Score_SCI.
  • Splunk data models [I1182]: added the field SessionUser to uberAgent UXM data set uberAgentUXM_Score.
  • Splunk index [B872]: added a new index score_uberagent_esa for security score calculations in uberAgent ESA. This index can be deleted if uberAgent ESA is not used.
  • Threat Detection Engine [B889]: renamed the stanzas [ActivityMonitoringRule], [ActivityMonitoringRule_Filter], [AddActivityMonitoringExpression] to [ThreatDetectionRule], [ThreatDetectionRule_Filter], [AddThreatDetectionExpression], respectively. The previous names are still supported, but deprecated from now on.
  • Threat Detection Engine (Windows) [I1104]: changed data type of Reg.Value.Data to string to simplify query rules using registry values.

Known issues

  • Agent (Windows) [I1154]: under heavy load the following message may be logged: “CheckEventRecord,Events were lost. This may affect uberAgent’s per-process disk, network, or UI-responsiveness metrics”.
  • Agent (Windows) [I1157]: under Windows 7/8, the user logoff is recognized too late, which leads to too many metrics being determined during this time.
  • Browsers [I1085]: on systems with many user sessions the URL of the foreground tab might not match the browser’s window title.


Your email address will not be published. Required fields are marked *