Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

Windows and macOS

Digital Employee Experience & Endpoint Security Analytics

Try it!

Why uberAgent?

uberAgent is an innovative digital employee experience monitoring and endpoint security analytics product for Windows and macOS.

  • Data quality

    uberAgent does not just collect data – it gives you the information that matters. Other products rely on the logs and counters built into the OS. uberAgent has its own metrics, comprehensively covering DEX and security.

  • Digital employee experience

    uberAgent helps enterprise IT provide fast, reliable, and secure devices & applications that boost employee productivity while strengthening cybersecurity.

  • Endpoint security analytics

    uberAgent detects risky behavior and verifies that devices & applications are configured securely. With its flexible and open architecture, uberAgent is the perfect complement to your EDR.

  • Physical & virtual

    uberAgent tells you everything you need to know about physical machines, virtual desktops, Apple macOS, Citrix, or VMware without affecting your systems’ user density.

  • Lightweight agent

    A single agent for digital employee experience and security analytics. uberAgent’s endpoint agent has been heavily optimized for minimal footprint and maximum efficiency.

  • Built for Splunk

    uberAgent is optimized for Splunk (but also works with Elastic, Azure Monitor, or Apache Kafka as backend). uberAgent comes with 60+ Splunk dashboards that visualize the collected data.

  • Unlimited scalability

    uberAgent scales to 100,000s of endpoints. Our enterprise customers are deploying uberAgent to their entire fleet of desktops, laptops, and VMs.

uberAgent Products

uberAgent UXM

uberAgent UXM covers all aspects of digital employee experience (DEX). It tracks the reliability and performance of any physical or virtual machine, enabling enterprise IT to provide productive digital work environments.

uberAgent is more than just monitoring. It is an indispensable tool for all phases of the IT lifecycle, from analysis to design, implementation, operations, and troubleshooting. uberAgent helps IT pros understand end-users without invading their privacy.

  • Application reliability
  • Browser usage
  • Citrix optimization
  • Network diagnostics
  • OS performance
  • Web app troubleshooting

uberAgent ESA

uberAgent ESA adds deep security visibility to the rich DEX and performance metrics collected by uberAgent UXM. With its open architecture, uberAgent ESA is the ideal complement to EDR products.

uberAgent ESA and uberAgent UXM are perfectly integrated. Both products combined require only a single agent, guaranteeing the smallest possible footprint on the endpoint.

  • Insecure configurations
  • DFIR
  • Data exfiltration
  • Compliance
  • Risky behavior
  • Lateral movement

uberAgent Features

User Logon Duration

uberAgent not only tells you if your logon times are good or bad. It shows you exactly where the time is spent.

  • Is it the user profile loading slowly?
  • Has the logon script become too big?
  • Is Group Policy being processed efficiently?

Learn more

Network Monitoring per Application

Oftentimes when applications are performing badly the root cause is an overloaded backend server. Such issues are hard to diagnose. uberAgent makes it a lot easier by collecting vital KPIs like latency, jitter, and packet loss – per application.

uberAgent also monitors network quality, detects blocked ports and calculates network availability.

Learn more

Threat Detection Engine

uberAgent ESA Threat Detection makes system activity traceable and searchable. Its comprehensive, extensible ruleset is powered by uAQL, a feature-rich query language that is both easy to read by humans and fast to process by computers.

When a Threat Detection rule matches a risky process, an unusual network connection, or similar activity, uberAgent ESA creates an event in your SIEM (e.g., Splunk).

Learn more

Application Reliability

Application stability and performance are crucial for user experience. With uberAgent, you can measure both!

  • Application UI unresponsiveness tracks when application UIs are not responding to user input.
  • Application performance determines the resource utilization of all the components that make up an application combined.
  • Application errors pinpoints what’s wrong – and who is affected.

Learn more

Web App Performance

Browsers have become operating systems of their own, running dozens or even hundreds of web apps concurrently, one app per tab.

It is no longer sufficient to gather performance data for the browser as a whole. IT needs to be able to identify business-critical web apps, monitor response times and data flows.

Learn more

Application Usage & Inventory

uberAgent easily answers difficult questions, both for traditionally installed and web apps:

  • How many licenses do we need for application X?
  • How many applications do we have in total?
  • Which applications are used where, and when?

Learn more

A quick intro

Watch the video

This video explains in 3 minutes why every end-user computing deployment needs uberAgent, be it physical PCs, virtual desktops, Citrix CVAD, VMware Horizon, or Microsoft AVD.

All videos

More uberAgent Features

Experience Score

The experience score dashboard is the entry point of the uberAgent UXM Splunk app. It calculates and visualizes experience scores for the entire estate, breaking the data down by category and component, highlighting components where potential issues are originating from. The dashboard also provides quick access to important KPIs like logon duration, application responsiveness, or application errors.

MS Office Security

uberAgent ESA comes with preconfigured rules that detect suspicious behavior with MS Office applications, such as:

  • Child process creation
  • Download operations
  • Macro execution
  • Suspicious DLLs
Citrix Sessions

uberAgent provides unprecedented visibility into what’s happening in Citrix CVAD user sessions: bandwidth usage, protocol latency, Citrix policies, video encoding settings, and much more.

Application Identification

Tired of deciphering cryptic process names? We thought so. Process names are for machines, application names are for humans.

uberAgent’s automatic application identification does not require configuration – and it even works with Windows services, App-V, Java and UWP applications. On macOS, even XPC services and privileged helper tools are covered.

Suspicious Network Activity

uberAgent ESA detects suspicious behavior related to network operations such as:

  • PowerShell outbound network connections
  • RDP connects from non-RDP software indicating lateral movement
  • Network connects to suspicious ports
User Session Footprint

When sizing an SBC farm you need reliable data about RAM, CPU, and disk usage per user session. Such data can be hard to come by. With uberAgent, it is but a dashboard away.

Works with:

  • Citrix Virtual Apps and Desktops
  • VMware Horizon
  • Azure Virtual Desktop (AVD)
  • Nutanix Frame
Citrix Cloud

Citrix Cloud monitoring is uberAgent’s capability to monitor the Citrix CVAD control plane in Citrix Cloud. It collects information such as:

  • Published applications
  • Desktops & desktop groups
  • Machines & catalogs
LOLBAS

LOLBAS stands for Living Off the Land Binaries And Scripts, a type of activity that misuses tools and executables that are already there because they are part of the operating system. uberAgent ESA detects LOLBAS activity such as:

  • Unusual child processes and DLL loads
  • Starts from non-default locations
  • Download operations
  • Execution from alternate data streams
File System Permissions

uberAgent ESA has sophisticated features that greatly facilitate working with security descriptors (SDDL strings). uberAgent detects detect processes started from directories that are user-writable and process starts from directories with a low mandatory integrity label.

System Boot Performance

Boot duration is often equivalent to the number of disk IOs – if you want fast boots you need to reduce the IO count. And uberAgent shows you just what you need to know to do that.

Sigma Rule Converter

Sigma is an open-source project that collects generic signatures for SIEM systems. vast limits contributes a rule converter to the ESA Threat Detection rule format. This makes it possible to enable hundreds of additional detection rules simply by including another configuration file.

Citrix CVAD Sites

uberAgent detects if it is running on a Citrix Delivery Controller (DDC) or a Citrix Virtual Desktop Agent (VDA). On DDCs, uberAgent automatically activates additional metrics like machine registration status, license usage, and published application inventory.

WiFi Connections

uberAgent’s WiFi connection monitoring keeps track of the relevant quality and security parameters of the WiFi network through which a user’s endpoint is connected to the internet and/or the corporate network.

uAQL Studio

uAQL Studio is a free online tool to learn, build and test uberAgent ESA Threat Detection rules.

Root CA Certificates

uberAgent ESA detects changes to root CA certificates such as certificate chain cloning and cloned root trust attacks.

SSH Sessions

uberAgent detects incoming SSH connections to macOS endpoints. Every SSH connection is given a unique identifier. Any processes that are executed within the SSH session are associated with it.

DNS Exfiltration & Tunneling

DNS exfiltration & tunneling techniques are so dangerous because they abuse a core component of TCP/IP networks that is largely unmonitored and difficult to control: DNS. uberAgent’s agent-based DNS risk calculation and a Splunk dashboard focused on the detection of malicious DNS activity are two powerful weapons that help fight this threat.

Intelligent Disk Buffering

uberAgent’s persistent output queue ensures that no data is lost even in situations where the backend is unavailable for prolonged periods of time (e.g., when laptops are offline). Intelligent disk buffering minimizes disk IO by monitoring backend availability and bypassing the output queue on disk when the backend is reachable.

uAQL Query Language

uAQL is a query language that is powerful yet efficient and easy to read. uAQL queries are used by the endpoint agent for ESA Threat Detection rules and for event data filtering.

User & Host Tags

Collect additional user or machine identifiers from Active Directory, the registry, or from environment variables.

Authenticode Signatures

uberAgent verifies the digital signature of each EXE/DLL that is executed or loaded into memory. uberAgent checks many properties of the signature, including the full chain of certificates.

Custom Scripts

uberAgent can collect data for arbitrary custom metrics through a generic script execution engine. It runs any type of script at any desired interval, either per machine or per user session.

Remote Thread Creation

Remote thread creation monitoring collects detailed information for any remote thread code injection event, including source & target process and the function that was called.

Event Data Filtering

Event data filtering allows defining rules that are evaluated for every event before it is sent to the backend. Rules control whether the event is sent to the backend or not. Additionally, rules can be used to clear the contents of fields.

Splunk Enterprise Security Integration

uberAgent supports all CIM fields populated by popular Sysmon add-ons. Data models include Endpoint, Malware, Change, and Network Resolution (DNS).

Configuration via Group Policy or Config File

uberAgent can be configured by means of a configuration file (all platforms) or via Group Policy (Windows).

Image File Hashing

Whenever a process is started or a DLL is loaded, uberAgent ESA calculates the hash of the file located on disk. uberAgent supports the hash variants MD5, SHA-1, SHA-256, and ImpHash both individually and simultaneously.

Citrix NetScaler (ADC)

With Citrix NetScaler (ADC) monitoring, uberAgent collects appliance & gateway performance, utilization, and inventory data from Citrix Application Delivery Controllers.

Scheduled Tasks

uberAgent ESA monitors changes to Windows scheduled tasks. Whenever a task is created, updated, or deleted, uberAgent generates an event with all available details. This includes properties that are not displayed in the Windows Task Scheduler UI, such as COM actions or custom triggers.

GPU Acceleration

As it becomes more and more common to utilize the GPU for effects, video decoding and even general-purpose computing administrators need a tool that helps them understand exactly how their applications make use of GPU acceleration in order to optimally size the hardware for the workload. uberAgent is that tool.

Process Tree

uberAgent ESA comes with a powerful Process Tree dashboard that makes it easy to identify a process’ descendants, listing important process properties such as the process lifetime, the command line, the elevation status, or the name and version of the application the process is a part of.

Sysmon Rule Converter

Sysmon is one of the most popular endpoint detection tools. Numerous quality rulesets are maintained by the security community. With our converter, Sysmon rulesets can be used with uberAgent ESA.

Windows Performance Counters

In addition to its rich set of native metrics, uberAgent can collect data from any Windows performance counter. A Splunk dashboard provides visualizations and intuitive filtering.

MITRE ATT&CK Technique ID

uberAgent ESA Threat Detection rules come with MITRE ATT&CK technique ID annotations. The technique ID is visualized in the Splunk Enterprise Security Risk Analysis dashboard as well as in the dashboards of the uberAgent ESA Splunk app.

Helpdesk Splunk App

The uberAgent Helpdesk Splunk app provides a view of the data collected by uberAgent that is specifically formatted for help desk technicians. The app helps answer typical user questions quickly and efficiently.

Success Stories

uberAgent makes user experience measurable

Frederik von Rüden
Unit Head Virtual Workplace Solutions, GOSP

Ready-made graphs and commonly needed metrics available out of the box.

Jesse Harris
Infrastructure Analyst, USC

uberAgent not only shows that issues are very often not Citrix's fault, it also helps to find the root cause of a bad user experience.

Sacha Thomet
Systems Engineer and CTP, Die Mobiliar

uberAgent is easy and intuitive to use. It was a great help with sizing and troubleshooting our VDI environment.

Tiemon de Vries
Systems Engineer, Martini Ziekenhuis