The Devo Endpoint Agent is a multi-platform and multi-purpose endpoint monitoring solution that allows Devo customers to recollect a variety of datasets sitting in their infrastructure, process them in an efficient way and create a comprehensive view that spans multiple applications and use cases in areas such as security monitoring, IT health and performance monitoring or capacity planning.
Built as a wrapper of Facebook’s Osquery monitoring tool, Devo EA leverages its baseline capabilities with the necessary components to allow a seamless integration with Devo’s analytics platform. Furthermore, additional key functions not originally present in the default implementation have been introduced by Devo using Osquery’s standard extension mechanism.
The result is a highly performant and versatile endpoints instrumentation tool that copes with today and tomorrow’s needs of those organizations concerned about visibility of their infrastructure and effectiveness in the collection of their related information.
Contact Devo to get a deployment package for the Endpoint Agent.
The following diagram shows all of the components identified in the Devo EA solution:
The solution is composed of two elements:
Devo Endpoint Agent: Corresponds to the implementation of the Osquery wrapper. It includes the Osquery agent and the additional components added by Devo to ensure secure communication with the EA Manager as well as the necessary extensions that implement additional functionalities.
Devo EA Manager: The manager centralizes all configurations and communications from the EAs, acting as an intermediary point for data consolidation and forwarding to Devo.
EA Manager is built around the FleetDM solution, with additional procedures added for a speedy installation and configuration, as well as a pre-built Devo communications path.
There are two possible deployment models for the solution depending on the location of the EA Manager: on-premise or hosted on a public cloud environment.
Supported use cases
The provided set of features and the extensibility of the Devo EA solution, combined with the analytical capabilities of the Devo core, allows you to explore the following use cases in a highly effective way. The following diagram summarizes the set of functions covered by the solution:
Retrieval of system-level configuration information such as hardware configuration, operating system versions, installed applications and extensions, development libraries, and so forth.
This module addresses the fetching of physical system information such as CPU, memory, disk and network interfaces consumption.
For the system statistics module implementation, an Osquery extension has been built to ensure cross-portability and coherence of the retrieved information across platforms. The baseline set of libraries are leveraged upon gopsutil, which ensures performance and the addition of new features if and when required.
Real-time assessment of both health and security statuses is performed analyzing the information gathered for the following elements:
The module also leverages on the native capabilities of Osquery to cover the following features:
File integrity management
Threat patterns scanning
With an initial focus on Windows Events, the EA also provides off-the-shelf support for a number of pre-configured Unix system log files to be automatically processed. In the case of Windows, the following Windows Event categories are pre-configured:
Osquery vanilla version does not implement the capabilities to scan the contents of arbitrary log files and folders, and expose these logged events as the result of queries. To fill that gap, a new Osquery extension has been created that allows for some files and folders to be parsed and uploaded. This feature enables the Endpoint Agent, in a simple manner, to gather the log information for virtually any application running on the host.
Osquery allows for an almost unlimited number of scenarios and use cases combining the supported data schemas with standard capabilities (for example, trigger http requests via curl and retrieve the results). For that reason, the solution has been conceived to pass through any custom configuration and upload the results of it to the provisioned data structures. Needless to say, a bespoke parsing process might be needed in those cases (with a customer-specific synthesis table).