uberAgent
Changelog and Release Notes
Version 7.2
New features
- Agent [B883]: new supported backend: Azure Data Explorer (ADX) (via Azure Event Hubs).
- Application hangs (macOS) [B846]: application hangs are now detected and reported under macOS.
- Browsers [B638]: the Chrome/Firefox browser extensions have been rewritten to fully support Manifest V3 and improve performance as well as reliability.
- Configuration [B600, B914]: credentials can now be securely retrieved from the operating system’s credential store.
- Dashboards [B926]: added Japanese translation of the uberAgent ESA and uberAgent UXM Splunk dashboards.
- Machine errors (macOS) [B847]: macOS kernel panics are now detected and reported.
-
Network monitoring [B864, B867]: loopback traffic monitoring. Can be enabled via
IgnoreLoopbackTraffic
in the[NetworkTargetPerformanceProcess_Config]
stanza. - Security & Compliance Inventory (macOS) [B817]: the SCI feature is now supported on macOS.
-
Threat Detection Engine [B889]: TDE rule customization & postprocessing via the new stanza
[ThreatDetectionRuleExtension]
. -
uAQL [B568]: new operators
regex
andregex_envvars
and their case-insensitive counterpartsiregex
,iregex_envvars
that replace the uAQL functionsregex_match
andregex_match_path
. The new builtin operators allow uberAgent to perform optimizations when using regular expressions in uAQL.
Improvements
- Agent (macOS): after the installation, the daemon is only started if an active configuration can be found. Configuration template files are no longer copied to the configuration directory automatically.
- Application errors (macOS) [I1125]: crash reports are now also evaluated when automatically marked as retired.
- Application inventory (macOS) [B554]: all installed applications on all locally mounted volumes as well as the user home directories are now reported.
- Automatic application identification (macOS) [B700]: improved mapping for privileged helper tools and applications installed with a package manager.
- Browsers [I597]: reduced performance impact of the browser extensions, especially for websites with many requests.
- Central config file management [I1128]: enhanced robustness versus external tampering with the cache or its metadata.
- Configuration [B890]: added support for multiline uAQL queries in configuration files.
-
Configuration [I1129]: new
ConfigFlags
settingPOQTimeoutMs
. - Machine inventory (macOS) [B719]: virtual machine detection now works on ARM-based machines.
- Machine inventory (macOS) [B833]: uberAgent now reports warranty information.
- Network monitoring (macOS) [I1081,I1083]: improve accuracy of the flow-specific data traffic metrics.
- Process startup (macOS) [B820]: distinguishing between fork and exec events is now supported. It is shown on the Process Tree, Process Startup, and Application Startup dashboards.
-
Process startup and stop (macOS) [B916]: added new option
EnableCdHash
to support collection of the code directory hash. -
Process stop (macOS) [B819]: the sourcetype
uberAgentESA:Process:ProcessStop
is now available on macOS. - Security Score Splunk dashboard [B872]: transferred SCI score calculation searches to separate index and improved overall dashboard performance.
-
Setup (Windows) [I1179]: copy optional Security Inventory files when deploying uberAgent on endpoints using the Splunk app
uberAgent_endpoint
. - Threat Detection Engine [B807]: the rule author is now shown on the Threat Detection Events dashboard to adhere to Sigma’s detection rule license.
-
Threat Detection Engine [B889]: added new common event property:
uberAgent.Pid
. - Threat Detection Engine (macOS) [B816]: added event properties for team id, signing id and SHA256 hash.
-
Threat Detection Engine (Windows) [I1104]: added new registry event properties
Reg.EventType
andReg.TargetObject
to match Sigma and Sysmon specifications. - uAQL [I1122]: enhanced error messaging for unreferenced variables, dynamic expressions, or functions, now specifically identifying the non-existent referenced item by name.
Bugfixes
- Agent (Windows) [I1166]: fixed a rare agent crash while retrieving machine inventory metrics.
- Authenticode signature verification (Windows) [I1163]: fixed an issue that caused the current time to be used instead of the signing time.
- Authenticode signature verification (Windows) [I1173]: fixed an issue that led to an incorrect result due to caching.
-
Boot duration (Windows) [I1119]: fixed an issue leading to incorrect
PostBoot
calculations in specific scenarios. - Citrix Cloud monitoring [I1186]: fixed query to check the existence of Citrix DaaS Remote PowerShell SDK.
- Configuration [I1181]: SCI configuration changes are now monitored and trigger an agent restart.
- Dashboards [B820]: the startup detail table on the Application Startup and Process Startup dashboards now correctly shows process starts on macOS.
- Dashboards [I1150]: fixed incorrect token usage and a visualization issue on the Security Score dashboard when no SCI test description was found.
-
Dashboards [I1151]: aligned the hostinfo lookup across sourcetypes in
props.conf
to always output the same fields. - Dashboards [I1174]: the Security Score dashboard only displayed a maximum of ten SCI categories. Any additional categories were merged into “OTHER”.
- Dashboards [I1178]: the overall score calculation on the Security Score dashboard did not match historical data.
-
Dashboards [I1182]: the filter option
SessionUser
led to faulty panels on the Session Scores dashboard. - GPU (Windows) [I515]: uberAgent now reinitializes GPU metrics in case of a graphics driver update.
- Machine inventory (macOS) [I1138]: fixed missing virtualization status of physical machines.
-
Machine inventory (macOS) [I1160]: fixed incorrect values with the
BatteryWearLevelPercent
metric. - NetScaler [I1101]: fixed a bug where closing the NetScaler connection too early resulted in no further data being collected.
- Network monitoring (macOS) [I1082]: incoming and outgoing packet counts now both only count packets with a payload. This was previously only the case for outgoing packets.
- Network monitoring (macOS) [I1097]: network flows with unknown transport protocols (other than TCP/UDP) are now ignored.
-
Network monitoring (macOS) [I1118]: fixed faulty calculation of TCP retransmission count in sourcetype
NetworkTargetperformance
. - Network monitoring (Windows) [I1110]: uberAgent’s network driver could slow down network transfers or freeze the system with many incoming UDP packets in high-throughput environments.
-
Process monitoring (macOS) [I1133]: the
ProcCPUTimeMs
andSessionCPUTimeMs
metrics are now reported as a delta for the current measurement interval instead of an absolute value. -
Process monitoring (Windows) [I1141]:
ProcessTampering
no longer gets disabled whenHashing
andAuthenticode
are turned off. -
Registry monitoring [I1142]: prevent handling empty registry keys causing the log message:
Failed to retrieve HIVE of
. -
Custom scripts (Windows) [I1116]: scripts couldn’t be started as SYSTEM in user sessions (
UserSessionAsSystem
). - uAQL [I1113]: fixed handling of improperly bracketed expressions and arrays that previously did not generate syntax errors.
- uAQL [I1127]: fixed a possible crash on faulty queries.
Release notes
-
Dashboards [B924]: removed the deprecated dashboard
Session Info:VMware
in uberAgent UXM. - Libraries [B919]: updated third-party libraries to the following: Boost 1.84, {fmt} 10.2.1, JSON for Modern C++ 3.11.3, libcurl 8.5.0 (Windows).
- NetScaler [B877]: renamed the Citrix ADC dashboards to NetScaler.
- Setup (Windows) [I1171]: updated WiX Toolset to version 3.14.1.
-
Sourcetype (macOS) [B820]:
uberAgent:Process:ProcessStartup
has a new field:StartupEventSource
. -
Sourcetype (macOS) [B833]:
uberAgent:System:MachineInventory
has a new field:CoverageEndDate
. -
Sourcetype (macOS) [B916]:
uberAgent:Process:ProcessStartup
has a new field:CdHash
. -
Sourcetype (macOS) [B916]:
uberAgentESA:Process:ProcessStop
has a new field:CdHash
. -
Sourcetype (macOS) [B847]: new sourcetype
uberAgent:System:MacOsErrors
with fields:KernelBugType
,KernelBuild
,KernelCrashReporterKey
,KernelErrorType
,KernelIncident
,KernelPanicFlags
,KernelPanicString
,KernelProduct
,KernelVersion
. -
Splunk CIM [I1101]: changed the method from
EXTRACT
toEVAL
for the fieldssrc_nt_domain
anduser
in theAuthentication
data model to work around a Splunk bug. -
Splunk CIM [I1101]: the
Authentication
data model has new field(s):dest
. -
Splunk CIM [I1101]: the
Inventory
data model has new field(s):cpu_mhz
,cpu_cores
,cpu_count
,status
. -
Splunk CIM [I1101]: the
Network Traffic
data model has new field(s):user
. -
Splunk CIM [I1101]: the
Updates
data model has new field(s):dvc
,file_name
,status
,vendor_product
. -
Splunk data models [B872]: added the uberAgent ESA data model
uberAgentESA_Score
with the datasetuberAgentESA_Score_SCI
. -
Splunk data models [I1182]: added the field
SessionUser
to uberAgent UXM data setuberAgentUXM_Score
. -
Splunk index [B872]: added a new index
score_uberagent_esa
for security score calculations in uberAgent ESA. This index can be deleted if uberAgent ESA is not used. -
Threat Detection Engine [B889]: renamed the stanzas
[ActivityMonitoringRule]
,[ActivityMonitoringRule_Filter]
,[AddActivityMonitoringExpression]
to[ThreatDetectionRule]
,[ThreatDetectionRule_Filter]
,[AddThreatDetectionExpression]
, respectively. The previous names are still supported, but deprecated from now on. -
Threat Detection Engine (Windows) [I1104]: changed data type of
Reg.Value.Data
to string to simplify query rules using registry values.
Known issues
-
Agent (Windows) [I1154]: under heavy load the following message may be logged:
CheckEventRecord,Events were lost. This may affect uberAgent's per-process disk, network, or UI-responsiveness metrics
. - Agent (Windows) [I1157]: under Windows 7/8, the user logoff is recognized too late, which leads to too many metrics being determined during this time.
- Browsers [I1085]: on systems with many user sessions the URL of the foreground tab might not match the browser’s window title.
- Browsers/IE add-on (Windows): metrics are not collected on page reload.
- Browsers/IE add-on (Windows): metrics are collected incompletely for the configured start page.
- Browsers/IE add-on (Windows): monitoring does not work if IE is published from Citrix Virtual Apps. It does work from Citrix Virtual Desktops, however.
-
Browsers/Firefox add-on [I626]: if the option
privacy.resistFingerprinting
is set to true, browser metrics are not available due to invalid data being sent from Firefox. -
Citrix ADC: in very rare cases, the content of the Virtual Server Performance field
vServerName
contains spaces in wrong places. - Citrix site monitoring (Windows): data collection issue if the Citrix Remote Powershell SDK (required for Citrix Cloud monitoring) is installed on a CVAD controller.
- Citrix Virtual Apps and Desktops Machines (Windows): when running the Citrix VDA on a Citrix Delivery Controller, some per-machine information is missing.
-
Experience Score [I377]: scheduled searches generate three warnings in Splunk’s
_internal
index every 30 minutes. The messages look like the following:DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event.
. However, there is no impact on uberAgent’s functionality. -
GPU (Windows) [I33]: values for the fields
ComputeUsagePercentAllEngines
,ComputeUsagePercentEngine0
and similar can be higher than 100 with Intel Iris GPUs on Windows Server 2016 1607. -
Kafka [I291]: in rare cases sending data to Kafka results in a
SEC_E_BUFFER_TOO_SMALL
error message in the logfile. This should have no effect; the transmission is repeated and succeeds on the second try. -
Network monitoring (Windows) [I998]: in rare cases the determination of
NetUtilizationPercent
can lead to higher CPU load on Windows 7 x64. - Single boot [I1052]: on Windows 11, no information can be retrieved if there is no active session within the data collection period.
- Update inventory (Windows): not all installed Windows updates may be reported due to API limitations.
- User input delay (Windows) [I983]: determining this metric may trigger a handle leak in uberAgent caused by Windows. This was fixed by Microsoft in most OS versions, but still happens on Windows Server 2022 22H2.
- Volume inventory (macOS): the encryption status of mounted read-only APFS snapshots may not be reported due to API limitations. This includes the root directory volume in a default installation of macOS
Changelog and Release Notes
In this article
Copied!
Failed!