Endpoint Agent Manager user manual

Introduction

The Endpoint Agent Manager solution is the central configuration and management element in Devo’s Endpoint Agent architecture. Technically speaking, it is an extended version of Fleet DM that provides a preconfigured set of logics—based upon packs of queries—as well as the necessary elements to aggregate, pre-process, and ingest all retrieved data from the endpoints into Devo.

There are two main sets of use cases the EA Manager implements:

1. For system administrators, it allows a fine-grain configuration of all the data querying and delivery to Devo. This includes packs definitions, packs configurations (for example, execution intervals), and so forth.

2. For data or security analysts, it provides a convenient UI way to execute on-demand queries to the fleet, thus enabling real-time, in-depth analysis of the managed set of endpoints.

Additionally, the EA Manager holds the repository of pre-configured agent packages that can be accessed for both manual installations, as well as to be incorporated into any existing deployment tools.

Access to the Endpoint Agent Manager

As detailed in the solution deployment sections of this manual, there are two main entry points to the Endpoint Agent Manager:

• EA Manager administration UI, accessible via https://DEAM_IP:8080, where DEAM_IP is the Devo Endpoint Agent Manager IP.

• EA Manager agents repository, accessible via https://DEAM_IP:8081, where DEAM_IP is the Devo Endpoint Agent Manager IP. Please refer to the Endpoint Agent deployment document for additional information on this section.

Administration UI access

To access the main administration UI of the Univeral Agent Manager, open a new browser window and navigate to https://DEAM_IP:8080. Make sure you replace DEAM_IP with the URL or IP address used in the installation process. Once loaded, the following login screen should be shown:

Open

Introduce the user email and password as defined during the installation process.

UI home

Once successfully logged in to the administration section of the EA Manager, the main screen of the application should appear as follows:

Open

The complete list of options and functionalities provided to the user is detailed as follows:

• User menu (1): Clicking on the avatar picture grants you access to the “Settings”, “Manage Users”, “My account”, “Documentation“ and “Sign out” options. The “Settings” option displays an extensive menu of application settings. The “Manage users” area allows you to manage the users and different accesses within the application. The “My account” option allows you to edit your contact details and passwords. The “Documentation” option connects the EA Manager with the public information repository, provided that open Internet connectivity exists. The “Sign out” option closes the active session within the EA Manager and takes you back to the login screen.

• Main menu (2): There are five main sections in the EA Manager application: Hosts, which shows all discovered endpoints where the EA Agent has been deployed; Software, which displays a detailed list of the software installed on the hosts; Queries, which permits the access and execution of on-demand queries; Packs, which is the specific section in which a number of queries can be bundled together as a single entity; and finally Policies, where you can see which policies pass your organization’s standards.

• Summary (3): A preview of some of the functionalities that can be found in the main menu.

Hosts section

This section of the EA Manager summarizes the size—number of agents deployed—and overall status of the fleet.

• Hosts lists (1): The central block of the Hosts section in the EA Manager application lists all discovered endpoints where the EA Agent has been deployed, and identified by their Hostname. This list of endpoints provides the following blocks of information:

  1. Status: Endpoints present an online status when their agent is currently connected to the EA Manager. When endpoints are signaled as online, the configuration in the EAM is being applied and the results yielded by the execution of the packs is being propagated to the EA Manager for ingestion into Devo. On the other hand, endpoints whose status is marked as offline are not currently available, and MIA corresponds to these endpoints that have not established a connection to the manager for a certain period of time.

  2. Last fetched: The last time the host “vitals” were retrieved by EA Manager.

  3. Hosts / endpoints information: The rest of columns in the list provide some additional information of the endpoint: OS type and version, baseline Osquery agent version, IP address, MAC address and other hardware details (CPU, memory). The columns can be modified using the Edit columns button.

  4. Edit columns: Allows you to decide what columns you want to see in this list.
     
     

  5. Search box: Allows you to search a specific host. Search can be done by any of the available columns.

• Filters block (2): Apply filters to the list of endpoints displayed in the central block. For example, clicking on the online item will make the list show only those endpoints that are currently connected to the Manager and that are available for on-demand querying operations, as well as actively executing the preconfigured query packs.

• New labels (3): Opens up the new labels creation interface. Refer to the Endpoints labelling section of this manual for specific details.

The Host details screen is shown when you click on one of the hosts:

1. Host basic info: Host information requested periodically by EA Manager.

   1. Refetch: Fetches again the host’s basic information.

   2. Query: Run query: Opens up the queries section and automatically selects the corresponding endpoint as the target to which a manually defined query will be executed. Refer to the queries section of in this manual.

   3. Delete: Removes the agent from the list of hosts in the EA Manager. As noted in the following screenshot, this process does not uninstall the agent. The agent needs to be manually uninstalled, otherwise it will be added again in the next check.

       

2. Navigation bar: Allows navigation between the Details, Software, Packs and Policies tabs, displaying a summary of the host’s information.

   1. Sofware: Displays the software installed on the host and its version. Vulnerabilities in the installed software version can be shown by clicking on the view all host link inside the table.

       

   2. Packs: Packs that are currently running in this specific host. Clicking on a pack shows the queries that apply to that specific host, since not all queries in a pack have to necessarily apply to every host.

   3. Policies: Displays the policies assigned to the host.

   4. Details: The Details tab is shown by default and contains the following three sections:

3. About this host: Extended information of the host.

4. Agent options: Configuration related to the osquery agent deployed in the specific host:

   1. Config TLS refresh: Period for the agent to fetch new configurations from the EA Manager.

   2. Logger TLS period: Period for the agent to flush any new logs to the EA Manager.

   3. Distributed interval: Period for the agent to check if there are any distributed queries to execute.

5. Labels: Labels that apply to this specific host. To know more about labels, refer to the endpoints labelling section of this manual for specific details.

Endpoints labelling

The labelling feature in the Endpoint Agent solution facilitates the creation of groups of endpoints based on certain criteria. These labels are used primarily to restrict the execution of certain queries or packs of queries to the endpoints matching the labelling criteria, which becomes a very powerful and flexible way to segment the configurations applied to the whole set of managed endpoints.

By default, the Endpoint Agent solution comes with three predefined labels, which correspond to the three platforms supported by the solution based on the running operating system: Windows, Linux and macOS. The way these labels and any others are defined is by means of an SQL query. For example, this is the definition of the Windows label:

This means that all endpoints matching this condition will be automatically labelled as a Windows machine.

Similar or more complex SQL queries can be created arbitrarily for any number of labels, looking at any specific fields or values returned by the supported schema. This way, it is perfectly possible to create an Apache label assigned to those hosts running an Apache webserver by analyzing the list of running processes in the machine.

Creation of a label

To create a new label, click on the Add new label button within the Host section of the Endpoint Agent Manager application. The following screen will be shown:

• SQL (1): This input box will be used to state the actual query run to define the label. The result of the query will identify those hosts matching the set criteria and they will be tagged with the defined label.

• Description fields and target (2): Use both the Name and Description fields to provide textual descriptions of the tag. Platform, on its side, is used to further restrict the application of the label based on the operating system running in the endpoints. Should the label be applicable to any of them, use the All platforms value.

• Tables (3): This panel can be utilized as a reference to review the different tables existing in the data schema, as well as all columns included in each table. Typically, this element is used to assist in the process of defining the SQL query for the label.

As an example, we will create a new label that identifies all hosts that are currently running SSH processes. This is how the configuration of the label might look like:

Once done, clicking on the Save label button will apply the configuration and create the new SSH runners label:

Clicking on any label will apply it as a filter and show in the list only those hosts matching the criteria:

And packs, for example, can now be qualified for execution using the newly created label: