Page Comparison

...

Common steps

1. Log in to your Devo EA Manager administration console (https://<devo_ea_manager_ip>:8080)

2. Once logged in, access the osquery configuration in https://<DEAM_IP:8080>/ -> settings -> Global agent options
   

...

1. Image Added

2. Here, we will see a text editor with the default configuration values and the ones loaded from DEA Manager inventory file as in the following screenshot
   

...

1. Image Added

2. We need to search for the following flags and set it as indicated within the corresponding configuration for each endpoint (or add it if does not exist):

   1. enable_file_events: true (for Linux and macOS endpoints)

   2. enable_ntfs_event_publisher: true (for Windows endpoints)

3. Below flags are required for FIM but are already enabled by default in EA Manager deployment. If you have not made any specific change to your deployment, you can skip this step. You can check the status of this flags by running SELECT name, value FROM osquery_flags in your fleet.

   1. disable_events: false (for Windows, Linux and macOS endpoints)

   2. disable_audit: false (for Linux and macOS endpoints)

4. Once the configuration is updated, save the changes and wait to the agents to update the configuration.
   **You can check if the configuration has been updated just by checking the “osquery_flags” table.

5. Add the file_paths to the data we want to monitor in the corresponding configuration section (Linux, macOS and Windows) in options:

   The following screenshots shows the configuration for Linux and Windows.

Linux

Image RemovedImage Added

Windows

Image RemovedImage Added

MacOS

Image RemovedImage Added

Finally, save the changes and wait to the agents to update the configuration.

...

For a non-deployed environment, we just need to modify the inventory file before deploy the Devo EA Manager for adding the flags and the paths to monitor.

1. Locate the inventory file we used in our Devo EA Manager deployment.

2. Open it with your preferred text editor and add the following tags under the corresponding OS flag (in vars section) in your inventory file

   1. enable_file_events: true (only for Linux and macOS endpoints. Under deam_fleet_config_agent_opts_nix or deam_fleet_config_agent_opts_darwin flags for Linux or macOS respectively)
      Linux:

      Code Block
      all: vars: deam_fleet_config_agent_opts_nix: enable_file_events: true

      MacOS:

      Code Block
      all: vars: deam_fleet_config_agent_opts_darwin: enable_file_events: true

   2. enable_ntfs_event_publisher: true (only for Windows endpoints. Under deam_fleet_config_agent_opts_win flag)

      Code Block
      all: vars: deam_fleet_config_agent_opts_win: enable_ntfs_event_publisher: true

3. Below flags are required for FIM but are already enabled by default in EA Manager deployment. If you have not made any specific change to your deployment, you can skip this step. You can check the status of this flags by running SELECT name, value FROM osquery_flags in your fleet.

   1. disable_audit: false (only for Linux and macOS endpoints. Under deam_fleet_config_agent_opts_nix or deam_fleet_config_agent_opts_darwin flags for Linux or macOS respectively)

   2. disable_events: false (for Windows, Linux and macOS endpoints. Can be placed under each specific OS flag or under the common one → deam_fleet_config_agent_opts)

4. Add the file_paths to the data we want to monitor in the corresponding configuration section (Linux, macOS and Windows) in your inventory file:

   Linux:

   Code Block
   all: vars: deam_fleet_config_agent_opts_nix: enable_file_events: true deam_fleet_config_file_paths_nix: homes: - /home/%% etc: - /etc/%

   
   Windows:

   Code Block
   all: vars: deam_fleet_config_agent_opts_win: enable_ntfs_event_publisher: true deam_fleet_config_file_paths_win: documents: - 'C:\Users\vagrant\Documents' tmp: - 'C:\tmp\*'

   
   MacOS:

   Code Block
   all: vars: deam_fleet_config_agent_opts_darwin: enable_file_events: true deam_fleet_config_file_paths_darwin: homes: - /home/%% etc: - /etc/%

If you are running a new deployment, continue with the normal process of deployment, the change will not be applied until the devo-endpoint-agent playbook is run.

...

We need to configure a new pack with two new queries for sending the data to Devo.

1. In the Devo EA Manager, click on “Queries“ in the left menu and search for the “Create New Query“ button

...

1. Image Added

2. We need to create 2 new queries with the following SQL code:
   For Windows:

   Code Block
   SELECT *, "status.fim" as __devoSubTag FROM ntfs_journal_events;

   
   For Linux/macOS

   Code Block
   SELECT *, "status.fim" as __devoSubTag FROM file_events;

3. Create and save the new queries with the name you wish.

...

1. Image Added

2. Now, click on “Packs“ in the left menu and search for the “New Pack“ button.

...

1. Image Added

2. Name it as you wish, select the hosts targets that are affected and save it.

...

1. Image Added

2. Once saved, add the previously-created queries (adding the interval and the affected hosts for each query).

...

1. Image AddedImage Added

2. Save the changes.

Data access

By default, all uploaded content files will be ingested into Devo under box.devo_ea.status.fim

...

Configuration section (per endpoint type)

Linux

Image RemovedImage Added

macOS

Image RemovedImage Added

Windows

Image RemovedImage Added

Wildcards

To specify which files and directories you wish to monitor, you must use fnmatch-style, or filesystem globbing, patterns to represent the target paths. You may use standard wildcards */** or SQL-style wildcards *%*, as shown below.

...