3.1.8.6. Agent Payload

Once the Agent is properly installed and established communication with the ON Core, it will start sending messages to the ON Core. These messages are called payloads and they are compressed and stored in the database (DDBB).

You can see them in the Agent payload section:

The API retrieves the last authentication status on each Agent response. It also sends, saves and displays the user ID of the person who authenticated the Agent.

The section displays the Hostname, the MAC, the IP, the User, and the Date of every corresponding payload. Apart from that, it displays the following columns:

3.1.8.6.1. Agent Versions

The version of the agent is represented in this column as an icon of the operating system where the agent is running.

3.1.8.6.2. Process type

There are different Process types for agent payloads and they are represented by icons. The following table indicates their meaning:

3.1.8.6.3. Data (Payload types)

There are different Payload types and they are also represented by icons. The following table indicate their meaning:

3.1.8.6.4. View payloads

Administrators can see the content of the payload by clicking on the eye icon.

The payloads are organized in different sections to facilitate their readability.

In the ACCOUNT INFORMATION module, we can find the key name and the key value.

In the OPENNAC DATA module, we can find the identifier, the timestamp, the data type, the VPN version, the platform, the agent version, the event, the IP used to send the payload, if the service is stopped and finally if the service is installed.

In the PAYLOAD PROCESSING TIME module, we can find the payloads process ID and the start and end time of the payload.

In the TRIGGER TYPE module, we can find the number corresponding to the trigger type.

In the TRIGGER DATE AND TIME module, we can find the date and time the trigger is finished.

In the HARDWARE module, we can find the system architecture, the name of the system where the agent is, the OS name, the OS version, the OS VM, the OS volume, the serial number, the hardware unique identifier, and if the device is using random MAC. If the Random mac switch is set to true, the HDT_MACRANDOM tag is added to the device.

Note

If the ON Agent is soluble and is not executed as sudo, the machine UUID and OS_VM flags won’t be returned in the Hardware section.

In the CERTIFICATES module, we can find a list of the certificates found on the host. We can find the end date, the issuer, the start date, and the subject from each certificate in the list.

In the ESTABLISHED CONNECTIONS module we can find a list of the host connections: the family number, the local address, the local port, the process ID, the protocol, the remote address, the remote port, and the state from each connection in the list.

In the NETWORKS module, we can find a list of the interfaces of the host machine. We can find the description, if the DHCP is enabled, the default gateway, the interface type, the IP of the interface, the MAC address, the name, the status, if it has a random MAC, and the type from each interface in the list.

In the OPEN PORTS module we can find a list of all the open ports of the host. We can find the family number, the local address, the local port, the process ID, the protocol, the remote address, the remote port and the state from each open port in the list.

In the SECURITY CENTER module for Windows devices, we can see a list of the security instances running on the host, like firewalls and antivirus. We can find the category, the company, if it is enabled, the product, if the security center is enabled, and if it is up to date from each security center in the list:

In the case of macOS devices, the SECURITY CENTER module displays the following columns:

In the USER ACTIVE module, we can see a list of the active users running on the host. We can find the domain and the name of the active user. When an OSQuery fails, this field will display the following error message: “A problem occurred when obtaining information about this entity”.

In the SCRIPT EXECUTION RESULTS module, we can find the name of the Script executing in the host, the key of the script, the result, the standard output and the start time and end type. These scripts are configured on ON Agent > Agent scripts. You can find more information in ON Agent > Agent scripts.

../../../_images/agent_payload_recover.png

In the RECOVER module, you will see the recovered payloads displayed with their timestamp. These payloads will be sent in the event of a loss of connectivity with the server.

../../../_images/agent_payload_iptables.png

The IPTABLES module, provides details about the iptables configuration, facilitating analysis of network traffic filtering.

../../../_images/agent_payload_bitlocker.png

In the BITLOCKER query, you can see the details of this feature when it is enabled in Windows operating systems. It ill add tags for each drive individually (ISS_BITLOCKER_DRIVE_C, NCS_BITLOCKER_DRIVE_D) and global tags for the drivers set (ISS_BITLOCKER, NCS_BITLOCKER). The table displays the following fields:

Conversion status: The bitlocker conversion status of the drive.
Device ID:ID of the encrypted drive.
Drive letter: Drive letter of the encrypted drive.
Encryption method: The encryption type of the device.
Lock status: The accessibility status of the drive from Windows.
Percentage encrypted: The percentage of the driver that is encrypted.
Persistent volume ID: Persistent ID of the device.
Protection status: The bitlocker protection status of the device.
Version: The FVE metadata version of the drive.

../../../_images/agent_payload_system.png

The SYSTEM UPDATES section displays installed updates with a description and date of the event.

../../../_images/agent_payload_installed_system_updates.png

The INSTALLED SYSTEM UPDATES section will report only Windows operating systems updates. The table displays the update ID, title and description, the release date, its client applicationID.

../../../_images/agent_payload_pending.png

The PENDING SYSTEM UPDATES section will report only Windows operating systems updates. The table displays pending uninstalled updates awaiting execution. For example, Security Intelligence Update for Microsoft Defender Antivirus.

Note

When Windows Update is disabled, the field SYSTEM_UPDATES_ACTIVE in the OPENNAC DATA section will return false. Additionally, both INSTALLED_SYSTEM_UPDATES and PENDING_SYSTEM_UPDATES fields will be set as ‘null’, making it difficult to accurately determine the machine’s update status.

Regarding System Update tags, note that drivers may be present in the update payload but are usually ignored for tagging purposes.

Understand three possible scenarios:

Disabled Updates

Scenario: When System Updates are disabled, the system enters a state where updates are not actively managed or applied.
Tags: The ISS_SYSTEM_UPDATES_DISABLED tag will be added to indicate that System Updates are disabled.

Enabled Updates & Not Updated

Scenario: In cases where System Updates are enabled, but some updates are pending installation or the system is not yet updated.
Tags:
- ISS_WINDOWS_PENDING_UPDATES will be added.
- UIS_AMOUNT_UPDATES_PENDING_X will be added with the number of pending updates.
- The UIS_OLDEST_UPDATE_PENDING_X tag could be added if it is possible to determine the oldest update (in days).
- The UIS_SEVERITY_UPDATES_PENDING_UNKNOWN tag will be added if it is not possible to determine the severity of the updates.
- The UIS_SEVERITY_UPDATES_PENDING_XXXXX tag will be added if it is possible to determine the severity of the updates (CRITICAL, IMPORTANT, MODERATE, or LOW)
- UIP_KBxx tags will be added for each pending update.

Enabled Updates & Updated

Scenario: When System Updates are enabled and the system is up-to-date with all available updates.
Tags: The ISS_SYSTEM_UPDATES_ENABLED tag confirms that System Updates are active. Additionally, the ISS_WINDOWS_UPDATED tag is added to indicate that the system has been successfully updated with all available updates.

Unknown

Scenario: When the Agent cannot obtain information, either because the device does not have internet access or access to the corresponding Windows servers, or because the antivirus has blocked the query, etc.
Tags: The ISS_SYSTEM_UPDATES_UNKNOWN tag will be added indicating that the Agent could not obtain information.

By clicking on View Payload at the upper-right corner of the Agent Payload window, it will display the following view:

../../../_images/download_agent_payload.png

The Download payload icon allows you to download the payload received.

We can perform a tag simulation from the View tags simulator icon.

See the Agent Doc for a complete list of tags generated from the data collected by the Agent.

In View server response icon, we can see the Agent server response:

../../../_images/agent_payload_response.png

In the GENERAL CONFIGURATION module, we can find the periodicity of the script execution in seconds, the periodicity of the full scan in seconds, the waiting time before a script execution before initialization, the waiting time ignoring sc events before windows initialization, the interval between user session events, the visibility, the debug mode, the secure mode, the number of logs sent to the server, the max log file size in MB, the max number of old logs saved, if the event product changed, if the event firewall changed, if the security center changed, if the network changed, if the user session changed, if there is an event when closing and if there is an event when uninstalling.

../../../_images/agent_payload_response1.png

In the CONNECTION PROPERTIES module, we can find the connection protocol, the connection endpoint, the endpoint to discover the IP that the agent uses to make requests, the connection IP or domain, and the taf identifier.

In the UI CONFIGURATION module, we can find if the UI is enabled, if the debug mode is enabled, if the client authentication is enabled, if OpenVPN is enabled, if the SAML for OpenVPN is enabled, if an URL is going to be open when connecting using OpenVPN, if Wireguard is enabled, if the SAML for Wireguard is enabled, if an url is going to be open when connecting using Wireguard, the UI language, and MUI.

../../../_images/agent_payload_response2.png

In the OpenVPN CONFIGURATIONS module, we can find the configuration of the OpenVPN server.

In the Wireguard CONFIGURATIONS module, we can find the configuration of the Wireguard server.

In the VLAN module, we can find the VLAN name and the VLAN ID.

../../../_images/agent_payload_response3.png

In the POLICY module, we can find the policy where the host matched.

In the AGENT USER AUTHENTICATED section, we can see if the user has been authenticated.

In the RECOVER module, you will see the recovered payloads displayed with their timestamp. These payloads will be sent in the event of a loss of connectivity with the server.

In View logs icon, we can see the agent logs.

When inserting text in the Search box, it will search for that piece of text inside the JSON file. So we can use it to filter by software, hostname, IPs, processes and anything else that could reside into an agent’s JASON.

The Agent service stopped icon, indicates that the agent service has stopped in that device.

You can also call the agentpayload using the API key.

See more details about the data exchange process in the Agent Doc section, which showcases examples of data extracted from devices by the Agent and transmitted between OpenNAC Enterprise and the Agent.