Product documentation
uberAgent
Current Release (7.3.0) 7.2.1 7.2.0 7.1.2 7.1.1 7.1.0 7.0.2 7.0.1 7.0.0
View PDF

Changelog and Release Notes

September 3, 2024
Contributed by: 
C

Version 7.2

New features

  • Agent [B883]: new supported backend: Azure Data Explorer (ADX) (via Azure Event Hubs).
  • Application hangs (macOS) [B846]: application hangs are now detected and reported under macOS.
  • Browsers [B638]: the Chrome/Firefox browser extensions have been rewritten to fully support Manifest V3 and improve performance as well as reliability.
  • Configuration [B600, B914]: credentials can now be securely retrieved from the operating system’s credential store.
  • Dashboards [B926]: added Japanese translation of the uberAgent ESA and uberAgent UXM Splunk dashboards.
  • Machine errors (macOS) [B847]: macOS kernel panics are now detected and reported.
  • Network monitoring [B864, B867]: loopback traffic monitoring. Can be enabled via IgnoreLoopbackTraffic in the [NetworkTargetPerformanceProcess_Config] stanza.
  • Security & Compliance Inventory (macOS) [B817]: the SCI feature is now supported on macOS.
  • Threat Detection Engine [B889]: TDE rule customization & postprocessing via the new stanza [ThreatDetectionRuleExtension].
  • uAQL [B568]: new operators regex and regex_envvars and their case-insensitive counterparts iregex, iregex_envvars that replace the uAQL functions regex_match and regex_match_path. The new builtin operators allow uberAgent to perform optimizations when using regular expressions in uAQL.

Improvements

  • Agent (macOS): after the installation, the daemon is only started if an active configuration can be found. Configuration template files are no longer copied to the configuration directory automatically.
  • Application errors (macOS) [I1125]: crash reports are now also evaluated when automatically marked as retired.
  • Application inventory (macOS) [B554]: all installed applications on all locally mounted volumes as well as the user home directories are now reported.
  • Automatic application identification (macOS) [B700]: improved mapping for privileged helper tools and applications installed with a package manager.
  • Browsers [I597]: reduced performance impact of the browser extensions, especially for websites with many requests.
  • Central config file management [I1128]: enhanced robustness versus external tampering with the cache or its metadata.
  • Configuration [B890]: added support for multiline uAQL queries in configuration files.
  • Configuration [I1129]: new ConfigFlags setting POQTimeoutMs.
  • Machine inventory (macOS) [B719]: virtual machine detection now works on ARM-based machines.
  • Machine inventory (macOS) [B833]: uberAgent now reports warranty information.
  • Network monitoring (macOS) [I1081,I1083]: improve accuracy of the flow-specific data traffic metrics.
  • Process startup (macOS) [B820]: distinguishing between fork and exec events is now supported. It is shown on the Process Tree, Process Startup, and Application Startup dashboards.
  • Process startup and stop (macOS) [B916]: added new option EnableCdHash to support collection of the code directory hash.
  • Process stop (macOS) [B819]: the sourcetype uberAgentESA:Process:ProcessStop is now available on macOS.
  • Security Score Splunk dashboard [B872]: transferred SCI score calculation searches to separate index and improved overall dashboard performance.
  • Setup (Windows) [I1179]: copy optional Security Inventory files when deploying uberAgent on endpoints using the Splunk app uberAgent_endpoint.
  • Threat Detection Engine [B807]: the rule author is now shown on the Threat Detection Events dashboard to adhere to Sigma’s detection rule license.
  • Threat Detection Engine [B889]: added new common event property: uberAgent.Pid.
  • Threat Detection Engine (macOS) [B816]: added event properties for team id, signing id and SHA256 hash.
  • Threat Detection Engine (Windows) [I1104]: added new registry event properties Reg.EventType and Reg.TargetObject to match Sigma and Sysmon specifications.
  • uAQL [I1122]: enhanced error messaging for unreferenced variables, dynamic expressions, or functions, now specifically identifying the non-existent referenced item by name.

Bugfixes

  • Agent (Windows) [I1166]: fixed a rare agent crash while retrieving machine inventory metrics.
  • Authenticode signature verification (Windows) [I1163]: fixed an issue that caused the current time to be used instead of the signing time.
  • Authenticode signature verification (Windows) [I1173]: fixed an issue that led to an incorrect result due to caching.
  • Boot duration (Windows) [I1119]: fixed an issue leading to incorrect PostBoot calculations in specific scenarios.
  • Citrix Cloud monitoring [I1186]: fixed query to check the existence of Citrix DaaS Remote PowerShell SDK.
  • Configuration [I1181]: SCI configuration changes are now monitored and trigger an agent restart.
  • Dashboards [B820]: the startup detail table on the Application Startup and Process Startup dashboards now correctly shows process starts on macOS.
  • Dashboards [I1150]: fixed incorrect token usage and a visualization issue on the Security Score dashboard when no SCI test description was found.
  • Dashboards [I1151]: aligned the hostinfo lookup across sourcetypes in props.conf to always output the same fields.
  • Dashboards [I1174]: the Security Score dashboard only displayed a maximum of ten SCI categories. Any additional categories were merged into “OTHER”.
  • Dashboards [I1178]: the overall score calculation on the Security Score dashboard did not match historical data.
  • Dashboards [I1182]: the filter option SessionUser led to faulty panels on the Session Scores dashboard.
  • GPU (Windows) [I515]: uberAgent now reinitializes GPU metrics in case of a graphics driver update.
  • Machine inventory (macOS) [I1138]: fixed missing virtualization status of physical machines.
  • Machine inventory (macOS) [I1160]: fixed incorrect values with the BatteryWearLevelPercent metric.
  • NetScaler [I1101]: fixed a bug where closing the NetScaler connection too early resulted in no further data being collected.
  • Network monitoring (macOS) [I1082]: incoming and outgoing packet counts now both only count packets with a payload. This was previously only the case for outgoing packets.
  • Network monitoring (macOS) [I1097]: network flows with unknown transport protocols (other than TCP/UDP) are now ignored.
  • Network monitoring (macOS) [I1118]: fixed faulty calculation of TCP retransmission count in sourcetype NetworkTargetperformance.
  • Network monitoring (Windows) [I1110]: uberAgent’s network driver could slow down network transfers or freeze the system with many incoming UDP packets in high-throughput environments.
  • Process monitoring (macOS) [I1133]: the ProcCPUTimeMs and SessionCPUTimeMs metrics are now reported as a delta for the current measurement interval instead of an absolute value.
  • Process monitoring (Windows) [I1141]: ProcessTampering no longer gets disabled when Hashing and Authenticode are turned off.
  • Registry monitoring [I1142]: prevent handling empty registry keys causing the log message: Failed to retrieve HIVE of.
  • Custom scripts (Windows) [I1116]: scripts couldn’t be started as SYSTEM in user sessions (UserSessionAsSystem).
  • uAQL [I1113]: fixed handling of improperly bracketed expressions and arrays that previously did not generate syntax errors.
  • uAQL [I1127]: fixed a possible crash on faulty queries.

Release notes

  • Dashboards [B924]: removed the deprecated dashboard Session Info:VMware in uberAgent UXM.
  • Libraries [B919]: updated third-party libraries to the following: Boost 1.84, {fmt} 10.2.1, JSON for Modern C++ 3.11.3, libcurl 8.5.0 (Windows).
  • NetScaler [B877]: renamed the Citrix ADC dashboards to NetScaler.
  • Setup (Windows) [I1171]: updated WiX Toolset to version 3.14.1.
  • Sourcetype (macOS) [B820]: uberAgent:Process:ProcessStartup has a new field: StartupEventSource.
  • Sourcetype (macOS) [B833]: uberAgent:System:MachineInventory has a new field: CoverageEndDate.
  • Sourcetype (macOS) [B916]: uberAgent:Process:ProcessStartup has a new field: CdHash.
  • Sourcetype (macOS) [B916]: uberAgentESA:Process:ProcessStop has a new field: CdHash.
  • Sourcetype (macOS) [B847]: new sourcetype uberAgent:System:MacOsErrors with fields: KernelBugType, KernelBuild, KernelCrashReporterKey, KernelErrorType, KernelIncident, KernelPanicFlags, KernelPanicString, KernelProduct, KernelVersion.
  • Splunk CIM [I1101]: changed the method from EXTRACT to EVAL for the fields src_nt_domain and user in the Authentication data model to work around a Splunk bug.
  • Splunk CIM [I1101]: the Authentication data model has new field(s): dest.
  • Splunk CIM [I1101]: the Inventory data model has new field(s): cpu_mhz, cpu_cores, cpu_count, status.
  • Splunk CIM [I1101]: the Network Traffic data model has new field(s): user.
  • Splunk CIM [I1101]: the Updates data model has new field(s): dvc, file_name, status, vendor_product.
  • Splunk data models [B872]: added the uberAgent ESA data model uberAgentESA_Score with the dataset uberAgentESA_Score_SCI.
  • Splunk data models [I1182]: added the field SessionUser to uberAgent UXM data set uberAgentUXM_Score.
  • Splunk index [B872]: added a new index score_uberagent_esa for security score calculations in uberAgent ESA. This index can be deleted if uberAgent ESA is not used.
  • Threat Detection Engine [B889]: renamed the stanzas [ActivityMonitoringRule], [ActivityMonitoringRule_Filter], [AddActivityMonitoringExpression] to [ThreatDetectionRule], [ThreatDetectionRule_Filter], [AddThreatDetectionExpression], respectively. The previous names are still supported, but deprecated from now on.
  • Threat Detection Engine (Windows) [I1104]: changed data type of Reg.Value.Data to string to simplify query rules using registry values.

Known issues

  • Agent (Windows) [I1154]: under heavy load the following message may be logged: CheckEventRecord,Events were lost. This may affect uberAgent's per-process disk, network, or UI-responsiveness metrics.
  • Agent (Windows) [I1157]: under Windows 7/8, the user logoff is recognized too late, which leads to too many metrics being determined during this time.
  • Browsers [I1085]: on systems with many user sessions the URL of the foreground tab might not match the browser’s window title.
  • Browsers/IE add-on (Windows): metrics are not collected on page reload.
  • Browsers/IE add-on (Windows): metrics are collected incompletely for the configured start page.
  • Browsers/IE add-on (Windows): monitoring does not work if IE is published from Citrix Virtual Apps. It does work from Citrix Virtual Desktops, however.
  • Browsers/Firefox add-on [I626]: if the option privacy.resistFingerprinting is set to true, browser metrics are not available due to invalid data being sent from Firefox.
  • Citrix ADC: in very rare cases, the content of the Virtual Server Performance field vServerName contains spaces in wrong places.
  • Citrix site monitoring (Windows): data collection issue if the Citrix Remote Powershell SDK (required for Citrix Cloud monitoring) is installed on a CVAD controller.
  • Citrix Virtual Apps and Desktops Machines (Windows): when running the Citrix VDA on a Citrix Delivery Controller, some per-machine information is missing.
  • Experience Score [I377]: scheduled searches generate three warnings in Splunk’s _internal index every 30 minutes. The messages look like the following: DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event.. However, there is no impact on uberAgent’s functionality.
  • GPU (Windows) [I33]: values for the fields ComputeUsagePercentAllEngines, ComputeUsagePercentEngine0 and similar can be higher than 100 with Intel Iris GPUs on Windows Server 2016 1607.
  • Kafka [I291]: in rare cases sending data to Kafka results in a SEC_E_BUFFER_TOO_SMALL error message in the logfile. This should have no effect; the transmission is repeated and succeeds on the second try.
  • Network monitoring (Windows) [I998]: in rare cases the determination of NetUtilizationPercent can lead to higher CPU load on Windows 7 x64.
  • Single boot [I1052]: on Windows 11, no information can be retrieved if there is no active session within the data collection period.
  • Update inventory (Windows): not all installed Windows updates may be reported due to API limitations.
  • User input delay (Windows) [I983]: determining this metric may trigger a handle leak in uberAgent caused by Windows. This was fixed by Microsoft in most OS versions, but still happens on Windows Server 2022 22H2.
  • Volume inventory (macOS): the encryption status of mounted read-only APFS snapshots may not be reported due to API limitations. This includes the root directory volume in a default installation of macOS
Changelog and Release Notes
September 3, 2024
Contributed by: 
C
September 3, 2024
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.