Managing query packs
Introduction
The concept of packs in the context of the Endpoint Agent solution refers to logical groups of individual queries under a specific theme or use case. Although queries can be part of multiple packs simultaneously, they are commonly set in a one-to-one relationship to facilitate its management.
The main difference between individual queries as created and managed in the queries section of the Endpoint Agent Manager and those included in a pack is that the latter ones are invidually configured to be automatically executed with a certain cadence (such as an interval), and their results are automatically collected and ingested in Devo. As such, they should be seen as the mapping of the use cases supported by Devo in terms of individual data collection logic.
Packs section
Access to the defined set of packs is done through the respective main menu item in the Endpoint Agent Manager application, where the full list of available packs is displayed in a table structure.
The following screenshot demonstrates how these elements are made accessible:
Navigation as well as available options are very similar to the ones offered in the queries section:
Packs list (1): This section provides the full list of packs in the EA Manager, including high-level details of each pack such as its name, status, number of queries the pack consists of, and so forth. Clicking on any row in the list provides extra visibility on the implementation details of the selected pack. It is also possible to search / filter the full list of packs by name using the filter packs input in the upper part of the section.
Create new pack (2): Direct access to the creation of a new pack is accessible by clicking on the create new pack button.
Pack tools (3): A menu of options appears when clicking on a host element. These options include:
To enable or disable the pack: Disabling a specific pack will instruct endpoints to stop launching all queries contained in the pack. This action also stops the ingestion of the results into Devo. Enabling the pack will start or resume the process of triggering all queries in the pack based on the defined intervals and ingest the results into Devo.
Delete Pack: This will delete the pack from EA Manager.
Creating packs
The creation interface for packs is as follows:
Pack definition, description fields and targets (1): Allows you to assign a name and description to new packs, as well as define the sets of endpoints to configure the pack execution for. Clicking on the Select pack targets button shows the different targetting options available for the pack, which are the same as for individual query executions, as explained in the using queries section of this manual.
Information about query packs (2): This section provides some useful information on the operation of the packages.
Editing packs
The Editing interface for packs is as follows:
Pack definition, description fields and targets (1): Like creating packs, this section allows you to assign a name and description to edited packs, as well as the define the sets of endpoints.
Use the icon to add the definition of the target to the list of targets specified for the pack. Targets can be defined based on individual host names or IP addresses, or by creating and applying custom tags. Click on the Save button to apply the changes, or the Cancel button to disregard them.
Additional target parameters are set in the execution configuration section, such as targeted operating system or agent versions. Refer to the next sections of the document for more details.
Queries list (2): Lists all queries that belong to the pack, providing general information related to the query execution in terms of type, recurrence, and targets.
The description of these query details columns is as follows:
Query name: Textual identifier of the query.
Frequency(s): Number of seconds between consecutive executions of the query (execution cadence).
Platform: Targeted operating systems.
Logging: Type of query, which can be screenshot (camera icon) or incremental (+/-). Screenshot queries load the full result dataset per execution, while incremental ones only return those new ‘+' or disappeared '-’ values with respect to the previous execution cycle.
Performance impact:
Actions:
Edit: The above settings can be edited in the window shown by clicking on the Actions button, in addition to Minimum ossuary version, which defines the specific version of the targeted Osquery agent and Shard (percentage), that defines the percentage (1-100) of target endpoints addressed per execution.
Remove: It is possible to remove a query from the current pack by clicking on this button. This will not delete the query itself, as it will continue to be available under the Queries section of the application.
Add query and filtering bar (3): It is possible to introduce values in the field to filter out the results of a query included in the pack to those registries that match the introduced text. By clicking in Add query you can add a new query to this pack.
Column names / sorting buttons (4): The first row in the table displays the name for each column in the table. It is possible to sort the results by name.