Endpoint Agent
- Juan Tomás Alonso Nieto (Deactivated)
- Former user (Deleted)
Overview
The Devo Endpoint Agent is a multi-platform and multi-purpose endpoint monitoring solution. It lets you gather a variety of datasets sitting in your infrastructure, efficiently process them, and create a comprehensive overview that spans multiple applications and use cases in areas such as security monitoring, IT health, and performance monitoring or capacity planning.
Built as a wrapper of Facebook’s Osquery monitoring tool, Endpoint Agent leverages its baseline capabilities with the necessary components to allow a seamless integration with Devo’s analytics platform. Furthermore, additional key functions not originally present in the default implementation have been introduced by Devo using Osquery’s standard extension mechanism.
The result is a highly performant and versatile endpoint instrumentation tool that copes with the needs of organizations concerned with the visibility of their infrastructure, as well as the effective collection of their related information.
Contact Devo to get a deployment package for the Endpoint Agent.
Architecture overview
The following diagram shows all of the components identified in the Endpoint Agent solution:
The solution is composed of two elements:
Devo Endpoint Agent: Corresponds to the implementation of the Osquery wrapper. It includes the Osquery agent and the additional components added by Devo to ensure secure communication with the EA Manager, as well as the necessary extensions that implement additional functionalities.
Devo EA Manager: The manager centralizes all configurations and communications from the EAs, acting as an intermediary point for data consolidation and forwarding to Devo.
The Endpoint Agent Manager is built around the FleetDM solution, with additional procedures added to speed up installation and configuration, as well as a pre-built Devo communications path. There are two possible deployment models for the solution depending on the location of the EA Manager: on-premise or hosted on a public cloud environment.
Supported use cases
The provided set of features and the extensibility of the Endpoint Agent, combined with the analytical capabilities of the Devo core, allow you to explore the following use cases. The following diagram summarizes the set of functions covered by the solution:
Configuration auditing
Retrieval of system-level configuration information such as hardware configuration, operating system versions, installed applications and extensions, development libraries, and so forth.
Performance monitoring
This module addresses the fetching of physical system information such as CPU, memory, disk and network interfaces consumption.
For the system statistics module implementation, an Osquery extension has been built to ensure cross-portability and coherence of the retrieved information across platforms. The baseline set of libraries are leveraged upon gopsutil, which ensures a smooth performance, as well as the addition of new features if and when required.
Status monitoring
Real-time assessment of both health and security statuses is performed analyzing the information gathered for the following elements:
System events
Running processes
Network connections
The module also leverages the native capabilities of Osquery to cover the following features:
File integrity management
Threat patterns scanning
Events logging
With an initial focus on Windows Events, the Endpoint Agent also provides off-the-shelf support for a number of pre-configured Unix system log files to be automatically processed. In the case of Windows, the following Windows Event categories are pre-configured:
Application
Powershell
Setup
Security
System
File logging
Osquery's vanilla version does not implement the capabilities to scan the contents of arbitrary log files and folders, thus exposing these logged events as the result of queries. To fill that gap, a new Osquery extension has been created that allows for some files and folders to be parsed and uploaded. This feature enables the Endpoint Agent to gather the log information for virtually any application running on the host.
Osquery allows for an almost unlimited number of scenarios and use cases, combining the supported data schemas with standard capabilities (for example, trigger http requests via curl and retrieve the results). For that reason, the solution has been conceived to pass through any custom configuration and upload the results of it to the provisioned data structures. Needless to say, a bespoke parsing process might be needed in those cases (with a customer-specific synthesis table).