uberAgent 6.2: Persistent Output Queue, Process Tampering Detection
Persistent Output Queue (Disk Buffering)
uberAgent’s persistent output queue (POQ) buffers the generated events on the endpoint’s disk before the agent attempts to send them to the backend. Only when an event has been delivered successfully is it removed from the POQ’s buffer.
The persistent output queue ensures that no data is lost even in situations where the backend is unavailable for prolonged periods of time. The most important use case for the POQ is with laptops.
On mobile devices, uberAgent was traditionally coupled with Splunk’s Universal Forwarder due to UF’s persistent queue functionality. With uberAgent’s new built-in persistent output queue, it’s not necessary anymore to deploy Universal Forwarder just for its disk buffering feature.
Citrix Cloud Monitoring
Introduced with uberAgent 6.1, Citrix Cloud monitoring is uberAgent’s capability to monitor the Citrix Virtual Apps and Desktops (CVAD) control plane in Citrix Cloud (announcement). Since the original release, we’ve been hard at work improving the speed and reliability of the queries to Citrix Cloud. The result is a fast and resilient Citrix Cloud connection that supports the latest API changes introduced by Citrix (e.g., pagination).
Detection of Process Tampering & Remote Thread Creation
uberAgent ESA now detects remote thread creation (a form of code injection) and multiple process tampering techniques (process hollowing, herpaderping, doppelganging). All the relevant event properties are available via the Activity Monitoring Engine. See this blog post for details.
Splunk Enterprise Security
While uberAgent had CIM support for a long time, we have extended the integration greatly with uberAgent 6.2. If you are used to working with Sysmon data in ES, you will notice no difference when switching to uberAgent. uberAgent supports all CIM fields populated by popular Sysmon add-ons found in Splunkbase, and more!
uberAgent’s macOS agent has learned many new tricks, including:
• Application crash reporting.
• Network monitoring now includes the remote (target) name in addition to the IP address.
• DNS query monitoring.
• Improved detection of SSH sessions.
uberAgent 6.2 comes with dozens of additional improvements and fixes, e.g.:
• The converted Sigma ruleset has been updated and now supports more categories.
• Authenticode signature verification improvements.
• Further optimized the network monitoring driver for even higher throughput.