Document toolboxDocument toolbox

Add new sources in Endpoint Agent

Devo Endpoint Agent offers a series of sources (query packs) by default that will automatically be uploaded to box.devo_ea in the Devo platform.

However, the Devo Endpoint Agent is flexible enough to enable you to add any other use cases that can be achieved using the osquery tables and forward the results into your Devo domain.

This article shows how to create new data sources in the Endpoint Agent and how to send the data to Devo.

Create a new query

The first step is to create a query that gathers the information of the use case that we are trying to solve.

Osquery offers a big set of tables covering many use cases for all the available OS. The table schema can be checked in osquery schema or in the right pane of the UI when creating a new query.

Create a new query:

  • When defining a new query, the result data can be sent to two different places:

    • box.devo_ea: This existing structure in Devo platform parses the fields that are common to every event sent by Endpoint Agent. A “__devoSubTag” field can be included to differentiate from other events. In the case that a specific parser exists in the Devo Platform for this type of events, the “__devoSubTag” field will be used to apply proper parsing.

    • my.app.<type>.<subtype>: Using the my.app structure, a user can send the data to a generic structure without parsing and the build his/her own parsing with the tools that Devo platform offers.

  • As an example, in the query below, the field “__devoTag” is included as part of the selected fields, where “__devoTag” is the name of the structure where it will be uploaded in Devo. If it is not included, by default the data will be included in box.devo_ea.

  • Otherwise, the data can be sent to box.devo_ea as in the following example:

Include the query in a pack

To instruct Endpoint Agent to deploy the query to the endpoints and execute it periodically, include the query in an existing pack, or create a new one.

Data is sent to Devo

Once the Query Pack is configured and deployed in the endpoint, the query pack starts to be executed and data is sent automatically to Devo.

  • In the case that the data is sent to a my.app structure, it will show up in your domain.

  • In the case the data is sent to box.devo_ea with the “windows_services” subtag, the data will show up as the following screenshots. Note that as there is no specific parser for the new data, the data falls into box.devo_ea.unknown and the subtag “windows_services” is included in the raw message.