Document toolboxDocument toolbox

Endpoint Agent Manager user manual

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 23, 2022
6 min read
[ 1 Overview ] [ 2 Access to the Endpoint Agent Manager ]

Overview

The Endpoint Agent Manager solution is the central configuration and management element in Devo’s Endpoint Agent architecture. Technically speaking, it is an extended version of Fleet DM that provides a preconfigured set of logic—based upon packs of queries—as well as the necessary elements to aggregate, pre-process and ingest all retrieved data from the endpoints into Devo.

There are two main sets of use cases the EA Manager implements: 

  1. For system administrators, it allows a fine-grain configuration of all the data querying and delivery to Devo. This includes packs definitions and configurations (such as execution intervals and so on).

  2. For data or security analysts, it provides a convenient UI way to execute on-demand queries to the fleet, thus enabling real-time, in-depth analysis of the managed set of endpoints.

Additionally, the EA Manager holds the repository of pre-configured agent packages that can be accessed for both manual installations as well as to be incorporated into any existing deployment tools.

Access to the Endpoint Agent Manager

As detailed in the solution deployment sections of this manual, there are two main entry points to the Universal Agent Manager:

  • EA Manager administration UI, accessible via https://DEAM_IP:8080, where DEAM_IP is the Devo Endpoint Agent Manager IP.

  • EA Manager agents repository, accessible via https://DEAM_IP:8081, where DEAM_IP is the Devo Endpoint Agent Manager IP. Please refer to the Endpoint Agent deployment document for additional information on this section.

Administration UI access

To access the main administration UI of the Endpoint Agent Manager, open a new browser window and navigate to https://DEAM_IP:8080. Make sure you replace DEAM_IP with the URL or IP address used in the installation process. Once loaded, the following login screen should be shown:

Introduce the username and password as defined during the installation process. 

Administration UI home / Hosts section

Once successfully logged in to the administration section of the EA Manager, the main screen of the application should appear as follows:

This home screen of the EA Manager, which corresponds to the hosts section in it, summarizes the size (number of agents deployed) and the overall status of the fleet.

The complete list of options and functionalities provided to the user is detailed as follows:

  • Username identifier (1): Displays the username of the active user.

  • Main menu (2): There are three main sections in the EA Manager application: Hosts, which corresponds to the home or landing page in the Manager, Queries, that permits the access and execution of on-demand queries, and Packs, which is the specific section in which a number of queries can be bundled together as a single entity.

  • Hosts lists (3): The central block of the Hosts section in the EA Manager application lists all discovered endpoints where the EA Agent has been deployed and identified by their Hostname. This list of endpoints provides the following blocks of information:

Status

Endpoints present an online status when their agent is currently connected to the UA Manager. When endpoints are signaled as online, the configuration in the UAM is being applied and the results yielded by the execution of the packs is being propagated to the UA Manager for ingestion into Devo. On the other hand, endpoints whose status is offline are not currently available, and MIA ("missing in action") correspond to these endpoints that have not established a connection to the Manager for a certain period of time.

Last fetched

Last time the host “vitals” were retrieved by EA Manager.

Hosts/endpoints information

The rest of the columns in the list provide some additional information about the endpoint: OS type and version, baseline Osquery agent version, IP address, MAC address, and other hardware details (CPU, memory). This can be modified using the Edit columns button.

Edit columns

Allows users to decide what columns they want to see in this list.

Search box

Allows the user to search a specific host. Search can be done by any of the available columns.

  • Filters block (4): This allows for the application of filters to the list of endpoints displayed in the central block. For example, clicking on the Online item will make the list show only those endpoints that are currently connected to the Manager and that are therefore available for on-demand querying operations as well as actively executing the pre-configured query packs.

  • New labels (5): Opens up the new labels creation interface. Please refer to the endpoints labeling section of this manual for specific details.

Upon clicking in one of the hosts, the Host details screen is shown:

  1. Host basic info: Host information requested periodically by EA Manager.

    1. Refetch: Fetches again the host basic information.

    2. Query: Run query: Opens up the queries section and selects automatically the corresponding endpoint as the target on which a manually defined query will be executed. Please refer to the queries section of in this manual.

    3. Delete: Remove the agent from the list of hosts in the EA Manager. As noted in the following screenshot, this process does not uninstall the agent. The agent needs to be manually uninstalled, otherwise it will be added again in the next check.

  2. About this host: Extended information of the host.

  3. Agent options: Configuration related to the osquery agent deployed in the specific host:

    1. Config TLS refresh: Period for the agent to fetch new configurations from the EA Manager.

    2. Logger TLS period: Period for the agent to flush any new logs to the EA Manager.

    3. Distributed interval: Period for the agent to check if there are any distributed queries to execute.

  4. Labels: Labels that apply to this specific host. To know more about labels, refer to the endpoints labelling section of this manual for specific details.

  5. Packs: Packs that are currently running in this specific host. Clicking on a pack shows the queries that apply to that specific host, since not all queries in a pack have to necessarily apply to every host.

Endpoints labeling

The labeling feature in the Endpoint Agent solution facilitates the creation of groups of endpoints based on certain criteria such as their operating system type, version, or running applications. These labels are primarily used to restrict the execution of certain queries or packs of queries to the endpoints matching the labelling criteria, which becomes a very powerful and flexible way to segment the configurations applied to the whole set of managed endpoints.

By default, the Endpoint Agent solution comes with three predefined labels, which correspond to the three platforms supported by the solution based on the running operating system: Windows, Linux, and macOS. The way these labels and any others are defined is by means of an SQL query. For example, this is the definition of the Windows label:


This means that all endpoints matching this condition will be automatically labeled as a Windows machine. 

Similar or more complex SQL queries can be created arbitrarily for any number of labels, looking at any specific fields or values returned by the supported schema. This way it is perfectly possible to create an Apache label assigned to those hosts running an Apache webserver by analyzing the list of running processes in the machine.

Creation of a label

To create a new label, click on the Add new label button within the Host main section of the Endpoint Agent Manager application. The following screen will be shown:

  • SQL (1): This input box will be used to state the actual query run to define the label. The result of the query will identify those hosts matching the set criteria hence they will be tagged with the defined label.

  • Description fields and target (2): Use both Name and Description fields to provide textual descriptions of the tag. The platform is used to further restrict the application of the label based on the operating system running in the endpoints. Should the label be applicable to any of them, use the All platforms value.

  • Documentation (3): This panel can be utilized as a reference to review the different tables existing in the data schema, as well as all columns included in each table. Typically, this element is used to assist in the process of defining the SQL query for the label.

As an example, we will create a new label that identifies all hosts that are currently running SSH processes. This is how the configuration of the label might look like:


 Once done, click on the Save label button to apply the configuration and create the new SSH runners label:


 And clicking on the label will apply it as a filter and show in the list only those hosts matching the criteria:


 And packs, for example, can now be qualified for execution using the newly created label: