The Devo Universal Agent is a multi-platform and multi-purpose endpoint monitoring solution that allows Devo customers to gather a variety of datasets sitting in their infrastructure and efficiently process them. You can then create a comprehensive view that spans multiple applications and use cases in areas such as security monitoring, IT health, and performance monitoring or capacity planning.
Built as a wrapper of Facebook’s Osquery monitoring tool, Devo's Universal Agent leverages its baseline capabilities with the necessary components to allow a seamless integration with Devo’s analytics platform. Furthermore, additional key functions not originally present in the default implementation have been introduced by Devo using Osquery’s standard extension mechanism.
The result is a highly performant and versatile endpoints-instrumentation tool that copes with the present and future needs of organizations concerned with the visibility of their infrastructure, as well as effectiveness in the collection of the aforementioned's related information.
Please contact Devo to get a deployment package for the Universal Agent.
High level architecture
The following diagram shows all of the components identified in the Devo Universal Agent solution:
The solution is composed of two elements:
Devo Universal Agent: Corresponds to the implementation of the Osquery wrapper. It includes the Osquery agent and the additional components added by Devo to ensure secure communication with the Universal Agent Manager as well as the necessary extensions that implement additional functionalities.
Devo Universal Agent Manager: The manager centralizes all configurations and communications from the Universal Agents, acting as an intermediary point for data consolidation and forwarding to Devo.
Universal Agent Manager is built around the FleetDM solution, with additional procedures added for a speedy installation and configuration, as well as a pre-built Devo communications path.
There are two possible deployment models for the solution depending on the location of the Universal Agent Manager: on-premise or hosted on a public cloud environment.
Supported use cases
The provided set of features and the extensibility of the Devo Universal Agent solution, combined with the analytical capabilities of the Devo core, allows you to explore the following use cases in a highly effective way. The following diagram summarizes the set of functions covered by the solution:
Configuration auditing: Retrieval of system-level configuration information such as hardware configuration, operating system versions, installed applications and extensions, development libraries, etc.
Performance monitoring: This module addresses the fetching of physical system information such as CPU, memory, disk and network interfaces consumption.
For the system statistics module implementation, an Osquery extension has been built to ensure cross-portability and coherence of the retrieved information across platforms. The baseline set of libraries are leveraged upon gopsutil, which ensures performance and the addition of new features if and when required.
Status monitoring: Real-time assessment of both health and security statuses is performed analyzing the information gathered for the following elements:
The module also leverages on the native capabilities of Osquery to cover the following features:
File integrity management
Threat patterns scanning
Events logging: With an initial focus on Windows Events, the Universal Agent also provides off-the-shelf support for a number of pre-configured Unix system log files to be automatically processed. In the case of Windows, the following Windows Event categories are pre-configured:
File logging: Osquery vanilla version does not implement the capabilities to scan the contents of arbitrary log files and folders, and expose these logged events as the result of queries. To fill that gap, a new Osquery extension has been created that allows for some files and folders to be parsed and uploaded. This feature enables the Universal Agent, in a simple manner, to gather the log information for virtually any application running on the host.
Osquery allows for an almost unlimited number of scenarios and use cases combining the supported data schemas with standard capabilities (e.g., trigger http requests via curl and retrieve the results). For that reason, the solution has been conceived to pass through any custom configuration and upload the results of it to the provisioned data structures. Needless to say, a bespoke parsing process might be needed in those cases (e.g., with a customer-specific synthesis table).