About uberAgent

• Products - UXM & ESA

• Components - Agents & Apps

• System Requirements

• Changelog and Release Notes

• New Release Information and Notifications

Planning

• Architecture Options

• Configuration Options

• Splunk Data Volume Calculation

• Splunk Sizing Resources and Recommendations

• uberAgent Feature Support on macOS

Installation

• Backend

  • Installing Splunk

  • Configuring Splunks HTTP Event Collector

  • Installing and Configuring Elasticsearch & Kibana

  • Configuring Microsoft Azure Monitor

  • Configuring Apache Kafka & Confluent REST Proxy

  • Configuring Microsoft Azure Data Explorer (ADX) & Azure Event Hubs

• Installing uberAgent

  • Installing the Splunk Apps

  • Installing the Windows Endpoint Agent

  • Installing the macOS Endpoint Agent

  • Installing Splunk Universal Forwarder

  • Installing the Chrome Browser Extension

  • Installing the Firefox Browser Extension

  • Installing the Edge Browser Extension

  • Installing the Citrix Enterprise Browser Extension

  • Installing the Internet Explorer Browser Add-on

• Upgrading uberAgent

• Configuration via Group Policy

• Central Config File Management

• Configuration via Local Config Files

  • Config File Syntax

UXM Features & Configuration

• Experience Score

• Per-Application Network Monitoring

• Web App Monitoring

• Automatic Application Identification

• Citrix NetScaler (ADC) Monitoring

• Citrix Cloud Monitoring

• Citrix Session Monitoring

• Citrix Site Monitoring

• Central License File Management

• Event Data Filtering

• Username and Configuration Setting Encryption

ESA Features & Configuration

• Enabling ESA

• Threat Detection Engine

  • MS Office & Acrobat Reader Monitoring

  • File System Activity Monitoring

  • LOLBAS Monitoring

  • Network Monitoring

  • Process Tampering Monitoring

  • Remote Thread Monitoring

  • Root CA certificate monitoring

  • Security Descriptor & ACL Monitoring

  • Sigma Rules & Converter

  • Sysmon Rule Converter

  • Rule Editor - uAQL Studio

  • Rule Syntax

  • Event Types

  • Event Properties

• Security Score

• Hash Calculation of PE Images

• Authenticode Signature Verification

• Security & Compliance Inventory

  • Test Configuration

  • Test Scripts

  • Script Sandbox

• DNS Query Monitoring

• MITRE ATT&CK Integration

• Process Tree Dashboard

• Scheduled Task Monitoring

• Splunk Enterprise Security Integration

UXM Metrics

• Application Metrics

  • Application Crashes & Hangs Metrics

  • Application & Process Performance Metrics

  • Application Inventory & Usage Metrics

  • Application Name to ID Mapping Metrics

  • Application & Process Startup Metrics

  • Application UI Unresponsiveness Metrics

  • Software Update Metrics

• Browser Metrics

  • Google Chrome Metrics

  • Internet Explorer Metrics

  • Web App Metrics

• Citrix NetScaler (ADC) Metrics

• Citrix Session Metrics

• Citrix Virtual Apps & Desktops Site Metrics

• Machine Metrics

  • Machine Crashes & Hangs Metrics

  • Machine Inventory Metrics

  • Machine Performance And Utilization Metrics

• Computer Startup, Shutdown & Hibernation Metrics

  • Boot Processes Metrics

  • Computer Startup (Machine Boot) Metrics

  • Computer Shutdown Metrics

  • On/Off Transition Delay Metrics

  • Standby/Resume Duration Metrics

• Network Metrics

• Microsoft Office Metrics

• Session Metrics

• Performance Counter Metrics

• uberAgent Licensing Metrics

• User and Host Metrics

• User Logoff Metrics

• User Logon Metrics

• uberAgent Configuration Metrics

ESA Metrics

• Threat Detection Metrics

  • Generic Properties

• DNS Query Monitoring Metrics

• Process Stop Metrics

• Scheduled Task Metrics

• Security & Compliance Inventory Metrics

Advanced Topics

• Multi-Tenancy With Splunk

• Automatic Application of Configuration Changes

• Reducing the Data Volume

• Demoing uberAgent With the Event Generator for Splunk

  • uberAgent Event Generator Changelog

• Recommendations for Custom Dashboards (Splunk)

• Custom Scripts

• Data Distribution and Separation (Routing to Multiple Backends)

• User and Host Tags

• uAQL - uberAgent Query Language

• Persistent Output Queue With Intelligent Disk Buffering

• Event Triggers for Timers

Troubleshooting

• Creating an uberAgent Support Bundle

• Log Files

• uberAgent Log Collector Splunk App

• uberAgent Browser Extensions

• Creating an uberAgent Performance Recording

• uberAgents Driver Safety Net Feature

Knowledge Base

• Architecture

  • Description of the uAInSessionHelper/uberAgentHelper Process

  • Name or Version may be Inconsistent Between App Inventory and Usage

  • Using uberAgent With a Proxy

  • uberAgent vs. Splunk Template for XenDesktop 7

• Custom Queries

  • Walkthrough - Building a Splunk Search

  • How to Implement Drilldowns on Custom Dashboards

  • How to Report on CPU Seconds & RAM GB Hours per User

• Data Collection

  • Citrix Applications Are Still Displayed with Old Name After Renaming

  • Dashboards Have No Data

  • Differences between SessionPublishedAppsCtx and SessionPublishedName

  • How Application Startup Duration is Measured

  • How to Configure the Data Collection Frequency

  • Incomplete Boot Duration Metrics

  • No Data in Splunk Even Though uberAgent Sends Successfully

  • Reasons For Empty SessionFgBrowserActiveTabHost Field

  • Reported GPU Memory Usage per Process is Too High

  • Event Data Filtering Examples

  • PowerShell Constrained Language mode

  • Saving uberAgent Data to Disk on the Endpoint

• Data Storage

  • How to Configure Data Retention

• Data Volume

  • The Data Volume Dashboard Does Not Display Values For All Metrics

• Footprint & Performance

  • Changing the Accelerated Time Range

  • Reuse of Open HTTP Connections

• Installation & Upgrade

  • Directories and Registry Key Created by uberAgents Installer

  • uberAgent macOS Installation Fails When Executed From a Network Drive

  • uberAgent With Splunk Cloud - Differences to On-Premises Splunk Enterprise

  • Using uberAgent With Self-Signed Certificates

• Licensing

  • How to Enable uberAgent on a Subset of Machines Only

  • Supported License File Names & Multiple License Files

  • Storing uberAgents License in Azure Files

• Logon

  • GP logon script is longer than Total duration

  • Not all CSEs Used are Listed on the Dashboard User Logon Duration - Group Policy

  • What is the Definition of the Metric Pre Logon Init?

  • Logon Data Arrives Late or Never in the Backend

• Splunk

  • Configuring Alerts

  • How to Change uberAgents Splunk Index Name

  • Splunk Product Editions (SKUs) Supported by uberAgent

  • What to Do When You Get Splunk License Errors

  • Workaround for Lookup Errors with Splunk Free

• User Interface

  • How to Separate Data from Different Types of Machines

  • Remoting Protocol is Console Instead of ICA or RDP

  • The Dashboards Do Not Work Correctly in Internet Explorer

Practice Guides

• Detecting Network Connectivity Problems

• Citrix ADC Monitoring and Alerting

• Generating Driver Version Inventory Reports

• Querying Windows Performance Counters

• Documenting Applied Computer GPOs

• Identifying Applications That Use 100% of a CPU Core

• Collecting the Processor Temperature With uberAgent

• User and Host Tagging Examples

• Querying Windows Event Log

• Collecting More WiFi Details From WFH Employees

• Monitoring Windows Update Performance

• Creating a TPM Status Inventory Report

• Building a Browser Extension Inventory Report (Chrome/Edge/Firefox)

• Internet Explorer - Distinguish Standalone and Edge IE Mode Starts

• Testing the Azure AD (Entra ID) Join Status