Overview
The Universal Agent Manager solution is the central configuration and management element in Devo’s Universal Agent architecture. Technically speaking, it is an extended version of Fleet DM that provides a preconfigured set of logics—based upon packs of queries—as well as the necessary elements to aggregate, pre-process and ingest all retrieved data from the endpoints into Devo.
There are two main sets of use cases the UA Manager implements:
- For system administrators, it allows a fine-grain configuration of all the data querying and delivery to Devo. This includes packs definitions and configurations (such as execution intervals and so on).
- For data or security analysts, it provides a convenient UI way to execute on-demand queries to the fleet, thus enabling real-time, in-depth analysis of the managed set of endpoints.
Additionally, the UA Manager holds the repository of pre-configured agent packages that can be accessed for both manual installations as well as to be incorporated into any existing deployment tools.
Access to the Universal Agent Manager
As detailed in the solution deployment sections of this manual, there are two main entry points to the Universal Agent Manager:
- UA Manager administration UI, accessible via
https://DUAM_IP:8080, whereDUAM_IPis the Devo Universal Agent Manager IP. - UA Manager agents repository, accessible via
https://DUAM_IP:8081, whereDUAM_IPis the Devo Universal Agent Manager IP. Please refer to the Universal Agent deployment document for additional information on this section.
Administration UI access
To access the main administration UI of the Universal Agent Manager, open a new browser window and navigate to https://DUAM_IP:8080. Make sure you replace DUAM_IP with the URL or IP address used in the installation process. Once loaded, the following login screen should be shown:
Introduce the username and password as defined during the installation process.
Administration UI home / Hosts section
Once successfully logged in to the administration section of the UA Manager, the main screen of the application should appear as follows:
This home screen of the UA Manager, which corresponds to the hosts section in it, summarizes the size (number of agents deployed) and overall status of the fleet.
The complete list of options and functionalities provided to the user is detailed as follows:
- Username identifier (1): Displays the username of the active user.
- Main menu (2): There are three main sections in the UA Manager application: Hosts, which corresponds to the home or landing page in the Manager, Queries, that permits the access and execution of on-demand queries, and Packs, which is the specific section in which a number of queries can be bundled together as a single entity.
- Hosts lists (3): The central block of the Hosts section in the UA Manager application lists all discovered endpoints where the UA Agent has been deployed, and identified by their Hostname. This list of endpoints provides the following blocks of information:
a. Status: Endpoints present an online status when their agent is currently connected to the UA Manager. When endpoints are signaled as online, the configuration in the UAM is being applied and the results yielded by the execution of the packs is being propagated to the UA Manager for ingestion into Devo. On the other hand, endpoints whose status is offline are not currently available, and MIA ("missing in action") correspond to these endpoints that have not established a connection to the Manager for a certain period of time.
b. Uptime: Duration of the endpoint’s last connection to the Manager. Note this duration corresponds to the current duration of the connection for those with an active status.
c. Hosts / endpoints information: The rest of the columns in the list provide some additional information about the endpoint: OS type and version, baseline Osquery agent version, IP address, MAC address and other hardware details (CPU, memory).
The last column in the hosts list represent two types of clickable icons, each of them providing access a specific functionality:
| Run query: Opens up the queries section and automatically selects the corresponding endpoint as the target on which a manually defined query will be executed. Please refer to the queries section of in this manual. |
| Delete endpoint: The selected endpoint will be removed from the list. Clicking on the icon will make the following popup displaying:
As noted, this will not uninstall the agent from the endpoint but rather it will be removed from the list of hosts. |
- Filters block (4): Allows for the application of filters to the list of endpoints displayed in the central block. For example, clicking on the Online item will make the list show only those endpoints that are currently connected to the Manager and that are therefore available for on-demand querying operations as well as actively executing the pre-configured query packs.
- New labels (5): Opens up the new labels creation interface. Please refer to the endpoints labelling section of this manual for specific details.
- Additional navigation options -help, logout- (6): The help button connects the UA Manager with this public information repository provided that open Internet connectivity exists. Logout button closes the active session within the UA Manager and takes the user back to the login screen.
Endpoints labeling
The labeling feature in the Universal Agent solution facilitates the creation of groups of endpoints based on certain criteria such as their operating system type, version, or running applications. These labels are primarily used to restrict the execution of certain queries or packs of queries to the endpoints matching the labelling criteria, which becomes a very powerful and flexible way to segment the configurations applied to the whole set of managed endpoints.
By default, the Universal Agent solution comes with three predefined labels, which correspond to the three platforms supported by the solution based on the running operating system: Windows, Linux and macOS. The way these labels and any others are defined is by means of an SQL query. For example, this is the definition of the Windows label:
This means that all endpoints matching this condition will be automatically labeled as a Windows machine.
Similar or more complex SQL queries can be created arbitrarily for any number of labels, looking at any specific fields or values returned by the supported schema. This way it is perfectly possible to create an Apache label assigned to those hosts running an Apache webserver by analyzing the list of running processes in the machine.
Creation of a label
To create a new label, click on the Add new label button within the Host main section of the Universal Agent Manager application. The following screen will be shown:
- SQL (1): This input box will be used to state the actual query run to define the label. The result of the query will identify those hosts matching the set criteria hence they will be tagged with the defined label.
- Description fields and target (2): Use both Name and Description fields to provide textual descriptions of the tag. Platform is used to further restrict the application of the label based on the operating system running in the endpoints. Should the label be applicable to any of them, use the All platforms value.
- Documentation (3): This panel can be utilized as a reference to review the different tables existing in the data schema, as well as all columns included in each table. Typically, this element is used to assist in the process of defining the SQL query for the label.
As an example, we will create a new label that identifies all hosts that are currently running SSH processes. This is how the configuration of the label might look like:
Once done, click on the Save label button to apply the configuration and create the new SSH runners label:
And clicking on the label will apply it as a filter and show in the list only those hosts matching the criteria:
And packs, for example, can now be qualified for execution using the newly created label:
