Document toolboxDocument toolbox

Endpoint Agent

Overview

The Devo Endpoint Agent (Devo EA) is a multi-platform and multi-purpose endpoint monitoring solution that allows Devo customers to recollect a variety of datasets sitting in their infrastructure, process them in an efficient way, and create a comprehensive view that spans multiple applications and use cases in areas such as security monitoring, IT health and performance monitoring or capacity planning.

Built as a wrapper of Facebook’s Osquery monitoring tool, Devo EA leverages its baseline capabilities with the necessary components to allow a seamless integration with Devo’s analytics platform. Furthermore, additional key functions not originally present in the default implementation have been introduced by Devo using Osquery’s standard extension mechanism.

The result is a highly performant and versatile endpoint instrumentation tool that copes with the needs of organizations concerned about the visibility of their infrastructure, as well as the effective collection of their related information.

Contact Devo to get a deployment package for the Endpoint Agent.

Architecture overview

The following diagram shows all of the components identified in the Devo EA solution:

The solution is composed of two elements: 

  • Devo Endpoint Agent: Corresponds to the implementation of the Osquery wrapper. It includes the Osquery agent and the additional components added by Devo to ensure secure communication with the EA Manager as well as the necessary extensions that implement additional functionalities.

  • Devo EA Manager: The manager centralizes all configurations and communications from the EAs, acting as an intermediary point for data consolidation and forwarding to Devo.

EA Manager is built around the FleetDM solution, with additional procedures added for a speedy installation and configuration, as well as a pre-built Devo communications path. There are two possible deployment models for the solution depending on the location of the EA Manager: on-premise or hosted on a public cloud environment.

Supported use cases

The provided set of features and the extensibility of the Devo EA solution, combined with the analytical capabilities of the Devo core, allows you to explore the following use cases in a highly effective way. The following diagram summarizes the set of functions covered by the solution:

Configuration auditing

Retrieval of system-level configuration information such as hardware configuration, operating system versions, installed applications and extensions, development libraries, and so forth.

Performance monitoring

This module addresses the fetching of physical system information such as CPU, memory, disk and network interfaces consumption.

For the system statistics module implementation, an Osquery extension has been built to ensure cross-portability and coherence of the retrieved information across platforms. The baseline set of libraries are leveraged upon gopsutil, which ensures performance and the addition of new features if and when required.

Status monitoring

Real-time assessment of both health and security statuses is performed analyzing the information gathered for the following elements:

  • System events

  • Running processes

  • Network connections

The module also leverages the native capabilities of Osquery to cover the following features:

  • File integrity management

  • Threat patterns scanning

Events logging

With an initial focus on Windows Events, the EA also provides off-the-shelf support for a number of pre-configured Unix system log files to be automatically processed. In the case of Windows, the following Windows Event categories are pre-configured:

  • Application

  • Powershell

  • Setup

  • Security

  • System

Current versions of Devo Endpoint Agent might not behave correctly when handling 200~300 Windows Events per second in a single Windows Server.

File logging

Osquery's vanilla version does not implement the capabilities to scan the contents of arbitrary log files and folders, and expose these logged events as the result of queries. To fill that gap, a new Osquery extension has been created that allows for some files and folders to be parsed and uploaded. This feature enables the Endpoint Agent to gather the log information for virtually any application running on the host.

Osquery allows for an almost unlimited number of scenarios and use cases combining the supported data schemas with standard capabilities (for example, trigger http requests via curl and retrieve the results). For that reason, the solution has been conceived to pass through any custom configuration and upload the results of it to the provisioned data structures. Needless to say, a bespoke parsing process might be needed in those cases (with a customer-specific synthesis table).

Agent monitoring

Osquery exposes a set of stats and lists of events of its own status, such as scheduled query info, Osquery events, extensions running, configuration loaded, and so on. The EA gathers this information and saves it in Devo.