- Split-brain DNS deployment using Windows Server DNS policy - Wed, Nov 30 2022
- Veeam Backup for Microsoft 365—Why you need to back up your M365 data - Tue, Nov 15 2022
- Cloud-based patch management with Action1 - Tue, Nov 8 2022
What is uberAgent? ^
uberAgent is a solution that provides the tools admins need to improve end user experience and bolster security. It provides detailed information about relevant metrics, including boot and logon duration, to determine why they may be slow. It also helps pinpoint problems with application response times, network connectivity and reliability, process startup times, application usage, browser performance with metrics for each website, and remote access protocol insights.
uberAgent UXM and uberAgent ESA
uberAgent is a Windows and macOS user experience monitoring (UXM) and endpoint security analytics (ESA) product. It provides capabilities and functionality by offering organizations two solutions: uberAgent UXM and uberAgent ESA. These are complementary products that give organizations the key performance indicators (KPIs) needed to monitor user experience, application performance, and deep security visibility.
What is the difference between uberAgent UXM and uberAgent ESA? uberAgent UXM is arguably the more familiar product from uberAgent. It provides the metrics needed for user experience monitoring, including managing native apps, web apps, performance details, reliability, right-sizing, application crash detection, and application delays. In addition, it monitors applications and networking, can detect timeouts or failed logins, and provides an inventory of hardware and applications.
The newer uberAgent ESA enriches UXM metrics with security information. It helps organizations identify suspicious behavior and sends relevant data to a SIEM. At its core, it is a security analytics platform that collects relevant security information. It can cut through the noise of false positives to identify risky behaviors, unusual communications, suspicious executables, and common vulnerabilities.
uberAgent ships the ESA product with an extensive predefined ruleset that is useful for most environments. However, businesses can extend uberAgent ESA with custom rulesets to meet their security analytics needs.
The uberAgent ESA component leverages an activity monitoring engine with the following capabilities:
- uAQL Query Language
- Risky behavior detection
- DNS query monitoring
- Hash calculation
- Registry monitoring
- Authenticode signature verification
- Sysmon and Sigma rule converters
- Graphical rule editor
Let's now focus on the new features and capabilities included in the uberAgent ESA 7.0 release.
New features and capabilities of uberAgent ESA 7.0 ^
Note the following new features of the uberAgent ESA 7.0 release:
- MITRE ATT&CK technique ID integration
- Splunk Enterprise Security companion App
- Better Splunk CIM support
- Many other miscellaneous improvements
MITRE ATT&CK technique ID integration
One of the great new features of the uberAgent 7.0 ESA release is the improved ESA activity monitoring engine, which now includes MITRE ATT&CK technique ID annotations. In addition, the ESA Splunk dashboards have been improved and show detailed descriptions and detection information for detected threats using the new annotations.
Why is MITRE ATT&CK ID integration important?
The new MITRE ATT&CK technique ID integration is a great new feature. So why are MITRE ATT&CK IDs important? MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a framework that provides real-world observations that document the specific methods, techniques, and workflows that threat actors use to carry out attacks. When new vulnerabilities and attacks are observed, they are added to the MITRE ATT&CK database.
The MITRE ATT&CK database also helps to describe the goals of an attacker. These may include compromising the network and how the attacker might infiltrate the network using phishing emails, for example.
The MITRE ATT&CK framework has become an industry standard that organizations can use to gather information and leverage remediation tools to circumvent attack behaviors. What do the uberAgent ESA activity monitoring rules look like with the MITRE ATT&CK technique ID annotations? Note the following example from uberAgent detailing a rule that links Cobalt Strike DNS beacon detection with the ATT&CK technique T1071.004:
What happens when the activity on a monitored endpoint matches the rule listed above? First, the uberAgent ESA generates an event entry in your SIEM (Security Information and Event Management). Then, the uberAgent Splunk App visualizes these events and makes them easy for administrators to access and consume.
Splunk Enterprise Security companion app
As mentioned, there is rich integration between uberAgent ESA and Splunk. New with the uberAgent ESA 7.0 release, a Splunk uberAgent ESA Enterprise Security companion app integrates metrics gathered from uberAgent ESA with Splunk Enterprise Security's risk-based alerting. In addition, it supports event annotations, such as MITRE ATT&CK and others.
Many who have worked with Splunk may know that manually configuring data integrations can be complex. Therefore, it is excellent to see that uberAgent has automated the integration of Splunk and the uberAgent ESA Enterprise Security Companion app. It allows the Splunk Enterprise Security dashboard risk analysis to be populated automatically with uberAgent data.
Better Splunk CIM support
Splunk's Common Information Model (CIM) is a shared semantic model focused on extracting value from data. The CIM is a collection of data models, tools, and other documentation supporting consistent, normalized data to achieve the most value for admins. It allows normalizing data to match common standards and use the same field names across different sources or vendors.
With the new uberAgent ESA 7.0 release, support for Splunk's CIM model has been further improved. Now, wherever a matching CIM data model exists for uberAgent source types, the fields in uberAgent's events are automatically mapped to the corresponding fields in the CIM data model. Again, no manual configuration is needed for this to work, as it is fully operational out of the box.
Many other miscellaneous improvements
The new uberAgent ESA has many other miscellaneous improvements to note in the latest release. These include the following:
- The converted Sigma ruleset has been updated and now supports more categories.
- Authenticode signature verification has a new field: IsSignedByOSVendor.
- Support for Elasticsearch 8.
- Event triggers for timers to collect data when something happens, e.g., a user logs on.
- Nutanix Frame integration: uberAgent now collects metrics for Nutanix Frame sessions.
- Citrix Cloud monitoring improvements.
- New Experience Score dashboards visualize scores per machine, session, and application.
- New Splunk data model architecture.
You can view the full release notes for uberAgent UXM and ESA here: Changelog and Release Notes • uberAgent documentation.
Wrapping up ^
The new uberAgent 7.0 UXM and ESA release is an excellent feature-packed release from vast limits. The new features and capabilities related to the Splunk integration will align nicely with organizations using Splunk as their enterprise SIEM solution. Additionally, the ability to quickly narrow in on user experience and performance monitoring, along with bolstering security for end-users across the board, is timely for organizations continuing to grow their hybrid workforce capabilities built on top of Citrix.
Subscribe to 4sysops newsletter!
If security analytics is a topic in your organization, you should definitely download uberAgent and try out the new features.