Document toolboxDocument toolbox

Preintegrated query packs

Devo Endpoint Agent works based in “packs”, a defined set of queries that will be executed periodically in the targeted endpoints existing in the Devo Endpoint Manager. While a user you create your own queries in the EA Manager interface, the following table depicts the preconfigured packs delivered with the default package that will be parsed properly in Devo:

Pack name

Queries

Type

Description

Pack name

Queries

Type

Description

DevoConfigurationPack

configuration_disk_info

Snapshot

Physical disks of the system

configuration_windows_software

Snapshot

Software installed list (Windows)

configuration_windows_software_choco

Snapshot

Software installed using Choco (Windows)

existing_users*

Incremental

User list incremental

existing_users_snapshot*

Snapshot

User list snapshot

existing_groups*

Incremental

Group list incremental

existing_groups_snapshot*

Snapshot

Group list snapshot

existing_users_groups*

Incremental

Correspondence between users and groups

existing_users_groups_snapshot*

Snapshot

Correspondence between users and groups (snapshot)

system_info

Snapshot

Computer identification and hardware info

configuration_network

Snapshot

Information about networks in the system

operating_system

Snapshot

Operating system information

DevoEventsPack

all_windows_events

Incremental

List of Windows Events (Application, Security, System, Setup), tagged by type

powershell_win_operational_events

Incremental

Powershell (Windows) events, tagged

other_sources_win_events

Incremental

Other Windows events tagged as “other_sources”. These events will show up in box.devo_ea.events_windows

all_linux_syslog_events

Incremental

Events gathered in syslog for linux-based systems

DevoStatusPack

logged_in_users

Incremental

Users logged in the system (incremental)

logged_in_users_snapshot

Snapshot

Users logged in the system (snapshot)

running_process_snapshot

Snapshot

Running processes list (snapshot)

running_process

Incremental

Running processes (incremental)

running_process_metrics

Incremental (no removals)

Details about running processes

listening_ports

Snapshot

Open network ports in the system

process_open_sockets

Snapshot

Open sockets by processes

DevoPerformancePack

devo_systat_cpu

Snapshot

CPU and memory load information

devo_systat_iodisk

Snapshot

Disk read/write load

devo_systat_network

Snapshot

Network sent/receive traffic

devo_systat_usagedisk

Snapshot

Disk capacity used and free

DevoFetchFilesPack

files_content

Snapshot

Last file contents read by fetchfiles

ffext_files_info

Snapshot

Files and folders to process by fetchfiles

ffext_files_config

Snapshot

Fetchfiles configuration

Packs created outside of this table might not be properly parsed and information will end up in box.devo_ea.unknown (in versions up to 1.2.0, box.devo_ua.unknown).

macOS users

Since macOS 10.15, there is a new Event System in macOS systems (Unified Logging System) that deprecates the existing ASL. The data existing in ASL can still be queried but due to the lack of reliability, it is not consumed by default. The Endpoint Agent does not support consuming data from the new API for Unified Logging System and it will be supported in future versions. Other queries not related to Unified Logging System can be done normally.

(*) It has been detected that queries to tables users and groups have a significant impact on resource usage when the EA is deployed in Windows Domain Controllers with a large number of users and/or groups. If this is your case, use the EA carefully and disable these queries if the agent does not behave properly.