*
This is a guest blog post from Helge Klein, founder and managing director at vast limits, the uberAgent company.
Many threats originate from the endpoint and detecting them requires insights into what happens on the endpoint. In this post we look at different endpoint activity data sources, comparing the benefits and capabilities of Splunk Universal Forwarder with vast limits uberAgent and homegrown solutions.
Splunk Universal Forwarder (UF) is Splunk’s default method for collecting and forwarding remote data. It supports the same broad range of platforms (including Windows, macOS, and Linux) and is configured in a similar manner to data collection on Splunk Enterprise/Splunk Cloud.
Splunk Universal Forwarder is an agent for getting endpoint data into Splunk Enterprise or Cloud. It supports a number of generic data sources that are important in the context of information security:
In addition to the above, Universal Forwarder can collect data from various sources specific to Windows: performance counters, WMI, registry changes, Active Directory changes, network activity, host inventory and printing.
The ability to run arbitrary tools or scripts (such as PowerShell on Windows systems), collect their output and send it to Splunk makes Universal Forwarder a versatile tool, and useful in many different scenarios.
The Splunk Universal Forwarder can send data to Splunk backends either via TCP or HTTP. It supports TLS encryption for both protocols. It also supports advanced options such as indexer acknowledgment and persistent disk queues.
uberAgent is a Windows and macOS endpoint agent developed by vast limits. It can be used in conjunction with Universal Forwarder or standalone.
uberAgent is optimized for a small footprint and minimal data volume. It typically needs fewer CPU and memory resources when compared to Splunk Universal Forwarder. In cases where there is an overlap in functionality with the UF, uberAgent often generates less data volume (e.g., network monitoring).
In terms of security (uberAgent ESA) as well as user experience and performance (uberAgent UXM), uberAgent is focused on providing deeper visibility into user and application activity
uberAgent ESA comes with an activity monitoring engine that efficiently detects risky behavior and flags the corresponding event for further analysis in Splunk. Activity monitoring rules are processed on the endpoint for maximum efficiency. uberAgent ESA ships with an extensive predefined rule set covering some of the most significant endpoint security use cases. The product also includes a converter for Sigma detection rules.
In addition to the above, uberAgent collects detailed information about application performance, network connections, web apps, and Citrix. Also, it does not stop at machine boot and user logon duration. All in all, uberAgent ESA collects data from about 80 different categories. Similar to Universal Forwarder, the agent’s capabilities can be extended through scripts whose output is captured.
uberAgent ESA feature summary:
uberAgent can send data either to a locally installed Universal Forwarder, which then forwards it to the Splunk backend or directly to Splunk Enterprise or Cloud.
uberAgent comes with 60+ Splunk dashboards that visualize all of the metrics collected by the agent. This makes for a smooth end-user experience and shortens implementation times dramatically as everything from data creation to dashboarding is coming from a single provider.
CIM-compliant event tags are automatically applied to the data collected by uberAgent. Data models provide a schema for all fields and sourcetypes. This makes uberAgent ready to be immediately adopted and integrated into Splunk Enterprise Security - the SIEM many clients rely on for centralized visibility through whatever mechanism, technique or tool data is collected.
A homegrown endpoint security data collection solution is typically based on a combination of Microsoft Sysmon and custom scripts.
Sysmon is a monitoring and logging agent designed to identify malicious or anomalous activity. Whenever Sysmon observes some activity that matches one of the rules of its configuration XML file it writes an event to the Windows event log.
Sysmon does not ship with monitoring rules; it needs to be configured from scratch by the customer. Many rules are available on the internet. The ruleset published by SwiftOnSecurity seems to be the most popular.
Sysmon’s capabilities are focused on low-level system events like process or thread creation, image or driver loads, registry or file system activity, WMI events, or DNS queries.
The events generated by Sysmon need to be read from the endpoint’s Windows event log and forwarded to Splunk by a tool like the Splunk Universal Forwarder.
Custom scripts are typically executed through an agent that also captures their output and sends it to Splunk. The Splunk Universal Forwarder and uberAgent are equally well suited for that task.
With a homegrown solution, customers need to create their own dashboards for the data they collect.
Universal Forwarder is a flexible and scalable tool. It comes Splunk-supported and should be a solid building block in a solution where customers require a data collection tool on the endpoint that can be adapted for any situation. It’s a key building block for organizations realizing the data-to-everything strategy.
uberAgent is going deeper into data and metrics collection. It comes with a good predefined configuration that makes it fast and easy to deploy and implement on top of Splunk Cloud/Enterprise. uberAgent’s dashboards light up with data minutes after installing the first endpoint agent. As a commercial product it offers full support and extensive documentation in addition to a unique set of metrics.
A homegrown endpoint security solution needs either of the two agents as a basis for tasks like data collection and transport to the Splunk backend. Homegrown appeals to customers who prefer tailor-made search queries and bespoke dashboard visualizations.
In the end, every approach has its benefits. There is no single solution that fits all requirements and use cases. As a Splunk customer, you are probably familiar with the Splunk Universal Forwarder. If you hadn’t heard of uberAgent before reading this article, be sure to request your 60-day trial license.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.