Preintegrated query packs
- Juan Tomás Alonso Nieto (Deactivated)
Devo Endpoint Agent works based in “packs”, a defined set of queries that will be executed periodically in the targeted endpoints existing in the Devo Endpoint Manager. While a user you create your own queries in the EA Manager interface, the following table depicts the preconfigured packs delivered with the default package that will be parsed properly in Devo:
Pack name | Queries | Type | Description |
|---|---|---|---|
DevoConfigurationPack | configuration_disk_info | Snapshot | Physical disks of the system |
configuration_windows_software | Snapshot | Software installed list (Windows) | |
configuration_windows_software_choco | Snapshot | Software installed using Choco (Windows) | |
existing_users* | Incremental | User list incremental | |
existing_users_snapshot* | Snapshot | User list snapshot | |
existing_groups* | Incremental | Group list incremental | |
existing_groups_snapshot* | Snapshot | Group list snapshot | |
existing_users_groups* | Incremental | Correspondence between users and groups | |
existing_users_groups_snapshot* | Snapshot | Correspondence between users and groups (snapshot) | |
system_info | Snapshot | Computer identification and hardware info | |
configuration_network | Snapshot | Information about networks in the system | |
operating_system | Snapshot | Operating system information | |
DevoEventsPack | all_windows_events | Incremental | List of Windows Events (Application, Security, System, Setup), tagged by type |
powershell_win_operational_events | Incremental | Powershell (Windows) events, tagged | |
other_sources_win_events | Incremental | Other Windows events tagged as “other_sources”. These events will show up in box.devo_ea.events_windows | |
all_linux_syslog_events | Incremental | Events gathered in syslog for linux-based systems | |
DevoStatusPack | logged_in_users | Incremental | Users logged in the system (incremental) |
logged_in_users_snapshot | Snapshot | Users logged in the system (snapshot) | |
running_process_snapshot | Snapshot | Running processes list (snapshot) | |
running_process | Incremental | Running processes (incremental) | |
running_process_metrics | Incremental (no removals) | Details about running processes | |
listening_ports | Snapshot | Open network ports in the system | |
process_open_sockets | Snapshot | Open sockets by processes | |
DevoPerformancePack | devo_systat_cpu | Snapshot | CPU and memory load information |
devo_systat_iodisk | Snapshot | Disk read/write load | |
devo_systat_network | Snapshot | Network sent/receive traffic | |
devo_systat_usagedisk | Snapshot | Disk capacity used and free | |
DevoFetchFilesPack | files_content | Snapshot | Last file contents read by fetchfiles |
ffext_files_info | Snapshot | Files and folders to process by fetchfiles | |
ffext_files_config | Snapshot | Fetchfiles configuration |
Packs created outside of this table might not be properly parsed and information will end up in box.devo_ea.unknown (in versions up to 1.2.0, box.devo_ua.unknown).
macOS users
Since macOS 10.15, there is a new Event System in macOS systems (Unified Logging System) that deprecates the existing ASL. The data existing in ASL can still be queried but due to the lack of reliability, it is not consumed by default. The Endpoint Agent does not support consuming data from the new API for Unified Logging System and it will be supported in future versions. Other queries not related to Unified Logging System can be done normally.
(*) It has been detected that queries to tables users and groups have a significant impact on resource usage when the EA is deployed in Windows Domain Controllers with a large number of users and/or groups. If this is your case, use the EA carefully and disable these queries if the agent does not behave properly.