Managing query packs

The concept of packs in the context of the Universal Agent solution refers to logical groups of individual queries under a specific theme or use case. Although queries can be part of multiple packs simultaneously, they are commonly set in a one-to-one relationship to facilitate its management.

The main difference between individual queries as created and managed in the queries section of the Universal Agent Manager, and those included in a pack, is that the latter are individually configured to be automatically executed with a certain cadence, and their results are automatically collected and ingested in Devo. As such, they must be seen as the mapping of the use cases supported by Devo in terms of individual data collection logic.

The Packs section

Access to the defined set of packs is done through the respective main menu item in the Universal Agent Manager application. Once you open this section in the Manager, the full list of available packs will be displayed in a table structure. Details of each individual pack can be shown by clicking on the corresponding row in the table, which will make the right-hand side pane show the pack composition and status details.

The following screenshot demonstrates how these elements are made accessible to the application user:

Navigation as well as available options are very similar to the ones offered in the queries section, and are as follows:

• Packs list (1): This section provides the full list of packs in the UA Manager, including high-level details of each pack such as its name, status, number of queries the pack consists of, etc. Clicking on any row in the list provides extra visibility on the implementation details of the selected pack. It is also possible to search / filter the full list of packs by name using the filter packs input in the upper part of the section.

Direct access to the creation of a new pack is accessible by clicking on the create new pack button. It is also possible to modify the definition of an existing pack either by double clicking on its entry in the table or by clicking on the edit pack button in the details section of a selected pack.

• Pack description (2): In this element of the UI, detailed information for a given pack is presented, including:

Pack: Name of the pack. Note: those packs whose name is prefixed by Devo are provided by default.

Queries: Full list of the queries (by name) included in the pack. Clicking on any query name will open up the query definition interface in the application.

Disabled / Enabled switch: Clickable element to enable or disable the pack. Disabling a specific pack will instruct endpoints to stop launching all queries contained in the pack, therefore also stopping the ingestion of the results into Devo. Enabling the pack, on the other hand, will start or resume the process of triggering all queries in the pack based on the defined intervals and ingest the results into Devo.

Creating or editing packs

The packs editing tool is accessible through the Create new pack button or by editing an existing one. The creation / editing interface for packs is as follows:

• Pack target (1): Allows for the assignment of a name and description for new or edited packs, as well as the definition of the sets of endpoints to configure the pack execution for. Clicking on the Edit button shows the different targeting options available for the pack, which are the same as for an individual query execution as explained in the using queries section of this manual.

Use the :plus: icon to add the definition of the target to the list of targets specified for the pack. Targets can be defined based on individual host names or IP addresses, or by creating and applying custom tags. Click on the Save button to apply the changes, or on the Cancel one to disregard them.

• Queries list (2): Lists all queries that belong to the pack, providing general information related to the query execution in terms of type, recurrence and targets.

The description of these query details columns is as follows:

- Query name: Textual identifier of the query.

- Interval(s): Number of seconds between consecutive executions of the query, i.e., execution cadence.

- Platform: Targeted operating systems

- Osquery version: Specific version of the targeted Osquery agent, or Any for all versions.

- Shard: Percentage (1-100) of target endpoints addressed per execution.

- Logging: Type of query, which can be a screenshot (camera icon) or incremental (+/-). Screenshot queries load the full result dataset per execution, while incremental ones only return those new ‘+' or disappeared '-’ values with respect to the previous execution cycle.

It is possible to remove a query from the current pack by clicking on the checkbox to the left of the query name and then clicking on the Remove query button. This will not delete the query itself, which will continue being available under the Queries section of the application.

• Query configuration (3): This panel accomplishes two main functions: first, it allows for the setting of the execution parameters for the query explained in the previous paragraphs. Secondly, and by using Select query, it allows administrators to search throughout the entire set of defined queries in the platform to add them to the active pack.

To modify the existing execution parameters of a query in the pack, or to add an existing query to the pack, follow the next steps:

- To modify the configuration of a query in the pack, click on the query in the queries list.

- To add a new query, click on the Select query dropdown menu and search for the query name you would like to add to the pack. Click on its name in the dropdown once located.

- Set or modify the execution parameters for the query, following the next example:

- Click on the Save button. The new query will appear in the list of available queries contained within the pack.