New Feature - Add Your Own Device Notes

While Kolide can collect and visualize a lot of useful information from the devices themselves, sometimes, the most useful pieces of data about a device can come from the people who oversee them.

To that end, we've added a new way for Kolide team members with access to the admin UI to write unstructured notes. When you visit the device overview page, you will now see a new widget called Device Notes.

In this widget, simply write any notes about the device you wish to record, and then click save note.  As you can see, the notes support basic Markdown formatting, including links and headers.

If you or another team member make a mistake or want to review the history of notes on a particular device, you can click Revision History and easily restore any previous version of the notes.

In addition to being accessible in the UI, both the raw markdown and the rendered HTML versions of notes are now included in the Device API response.

Finally, we've also updated the overview page for Private Devices to include a limited set of informational widgets, including this new notes widget.


This is just one of many features we plan to roll out this year to help our customers better identify and record useful information about their devices. Until then, please let us know if you have any feedback or improvements, you would like to see.

Osquery 4.7.0 Inventory Improvements

Recently, the Kolide change-log has been bursting at the seams with improvements and new features, and while it's been fun bringing good news and cheer to you all on a near-daily basis, enough is enough. 

Instead of dragging this out over the next three days, we decided to create one big post with all of the Inventory improvements we've recently shipped to close out the week. Let's get started!

New Inventory Item - macOS System Extensions

Apple introduced their safer alternative to Kernel Extensions called System Extensions with the release of macOS Catalina in 2019. Now with Big Sur, Kernel Extensions are no more. Thanks to some incredible work by Kumarak of Trail of Bits, Osquery 4.7.0 now supports enumerating these extensions.

We are excited to announce that we've added these System Extensions to the default set of macOS Inventory


Improved Inventory - Windows User Metadata

On macOS, Kolide is not only able to enumerate the users of a particular device, but it can also enumerate additional metadata, like the number of times the user logged in or the last time the password was set.

Starting this week, Windows joins the party! Using WMI, Kolide can now collect additional metadata information about the device's user accounts, including:

  • last_logged_in_at - When the user last logged in.
  • logins_count - The total number of times the device user logged into the system.
  • failed_logins_count - The total number of times someone attempted to access a user account with incorrect credentials.
  • password_last_set_at - The precise time the user's password was changed or initially set.
  • password_expires_at - The precise time the user's password expires (when applicable).
  • windows_user_type - The type of Windows User (Ex: "Normal Account", "Domain Trust Account", etc.)

This information can be extremely helpful for our customers who really want to understand who the device's primary user is (based on login count). Additionally, knowing when a user last changed their password can be invaluable if you want to ensure that the user's password meets the complexity requirements in the most recent set policy.

You can check out these new columns in the Device Users Inventory section.


Improved Inventory - Google Chrome Extensions

The term Google Chrome Extension has become a bit of a catch-all with the recent arrival of many different browsers based on the Chromium open-source project. It's common-place now to find end-users installing Chromium extensions in Brave, Edge, or even Opera.

To that end, Kolide leverages all the great work done in Alessandro Gario of Trail of Bits in Osquery 4.7.0 to help you sort out which extensions belong to which browser, the enabled state of the extension, among other important details.

Check out the Google Chrome Inventory to peruse this new information.


Improved Inventory & Widget - macOS FileVault Status

I recently contributed an improvement to the disk_encryption table in Osquery that more clearly defines the difference between a encrypted disk and one that FileVault actually protects. At the same time, we also updated our built-in FileVault Check.

Now that these improvements are shipped in Osquery itself, we have updated our Disk Space widget and added the new column in Inventory. 

You can see the new filevault_status and related fields in the Storage Devices Inventory section

As always, please do not hesitate to reach out with questions or feedback!

Lost Mode Now Available on Windows Devices

Earlier this year, we introduced Lost Mode for Mac and Lost Mode for Linux, features that enable the IT team and end-users to work together to locate a misplaced or stolen device. 

Today, we are excited to announce we've completed our Lost Mode cross-platform support with the release of Lost Mode for Windows!

Like Lost Mode for Mac and Linux, this new feature surveys nearby Wi-Fi Access Points to help determine the Windows device's precise geolocation. We consider this a highly-sensitive feature that requires informed end-user consent each time it is used across all platforms.

You can learn more about Lost Mode by reading our help article!

As always, please don't hesitate to reach out to us with feedback or questions!

New Check: Windows Important Updates Missing

After many weeks of research and engineering, we at Kolide are very proud to announce the immediate availability of several new Windows-based features:

  • Device Check: Windows Important Updates Missing
  • Device Detail Page Widget: Windows Update
  • Inventory Item: Windows Pending Updates

Windows Important Updates Missing

This new Check enumerates important Windows updates that have not been installed within 2 days of becoming available.

While building this check, data accuracy was considered paramount. We did not want to return information about updates that did not apply to the device or were already installed. To achieve this specificity, we upgraded Kolide's agent to directly communicate with the Windows Update API, ensuring that the pending updates returned are always relevant and accurate for each device. This also means as soon as updates are installed correctly, they will disappear the next time we query the API.

Another top priority was to ensure that any failures we generated were only for important updates. Important to us means significant updates with security mitigations, anti-malware signatures, updates with high-criticality, or updates that reference bug fixes. If Kolide generates a failure for a missing update, you can bet it's going to be one that your users should install.

Finally, we wanted to go above and beyond when generating the step-by-step instructions for end-users and ensure that the titles for the updates match the titles in the Windows Update UI, even if they are in a different language.

Inventory and Widgets

To round out this new capability, we wanted to offer more than just an opinionated check. We also wanted to visualize information about Windows Update's configuration and provide our customers with information about all available updates (not just the important ones).

To that end, we've created the following Widget, which will now appear on all of your Windows Devices!

Additionally, if you're the type that wants to see all your data in one big table, you can review all pending Windows updates (including optional updates) in our new Inventory: Windows Pending Updates.

Or review the Windows Update Agent configuration in the new Inventory: Windows Update Config to find individuals who haven't scanned for updates in over a week whose updates are paused.

Reporting

If you are participating in our Reporting beta, you will also have access to all of this new inventory data in a queryable database. You can use this capability to perform aggregate queries (like counting data across devices) on data stored in Kolide's Inventory.

Location Services Check & Inventory

In the new Osquery 4.7.0 release (which is now automatically distributing to all of our customers), we contributed a new macOS table called Location Services. This table simply determines the status of a Mac's Location Services API, which can be adjusted by the end-user in System Preferences and within the Security & Privacy preference pane.

Without Location Services, several critical features like Find My Mac will not work correctly. To help our customers determine the status of Location Services, we are excited to introduce several features designed to take advantage of this new table as well as other work we've done in Kolide's agent.

New Check: Location Services Disabled

The Location Services Check allows our customers to track which Macs have Location Services disabled, and reaches out to end-users to turn the setting back on.

New Widget & Inventory

In addition to the Check, we've gone the extra mile to not just simply report on the global state of the Location Services, but to also enumerate the state of its advanced settings and the apps that requested (and were perhaps granted) a Location Services entitlement. 

The new Location Services widget will list all known apps and services that have requested entitlement to Location Services. If the status light is green, that means the entitlement was granted, and if the compass pin is present, it indicates location was accessed in the last 24 hours.

In addition to the widget, you can also peruse both the state of System Services and the Authorized Apps in Inventory.

If you find yourself not interested in collecting information about Location Services, you will be pleased to learn that you can now opt-out of any of Kolide's data collection, right from the the relevant Inventory screens!

Reporting Beta

For those of you who are participating Reporting SQL DB beta, you'll be happy to learn all of the new information regarding Location Services is now fully documented and available to query.

The New Global Failures View

You may have recently noticed a new top-level navigation option, Failures, in Kolide. We'd love to take a few minutes to walk you through this new Failures view, along with other improvements we made as a part of this feature's release.

One Place To View All Of Your Check Failures

In the UI, when a device fails a check, the information about that failure could be found in that particular Check's details page or on the Device's failure overview page.

Now, there is a third place to view this failure data across all checks and all devices.

Having this data in one place enables several compelling use-cases:

  • Organizing failures by tag (for example: "Show me all failures that belong to a Check with the Critical tag)
  • Searching across all failure metadata for keywords (ex: looking for the word "prod" might bring up some interesting results for failures belonging to more than one check)
  • Locating failures, devices, and people where end-users may be ignoring the notifications from Kolide.

Data and UI Consistency

While building this feature, we wanted to ensure the way we were showing failure data across different contexts was going to be consistent (even CSV exports). We also wanted to make sure the ability to filter and traverse the various failure states were preserved, no matter what part of the UI you were in.

The "Total" Tab - Viewing All Failures

In the spirit of giving administrators the most flexibility when filtering, sorting, and searching failure data, we've created a new tab called Total which allows you to see all failures, regardless of the failure's actual state.

This new view allows you for the first time, to see the entire posture (past and present) for a given device or device-owner. In a single screen, you can see all the Checks that are failing, have failed or are currently being ignored! 

Likewise, you can use all of your favorite mass-actions to quickly address a variety of use-cases that before necessitated wading into individual Check screens. For example, do you have a test-device which is intentionally misconfigured which you wish to ignore failures for? Now you can filter down to only that device, and ignore all of its open failures with just a few clicks!

We are excited to see the use-cases you come up with to make your Kolide experience more efficient, informed and most importantly, actionable.

This new view allows you for the first time, to see the entire posture (past and present) for a given device or device-owner. In a single screen, you can see all the Checks that are failing, have failed or are currently being ignored!

Likewise, you can use all of your favorite mass-actions to quickly address a variety of use-cases that before necessitated wading into individual Check screens. For example, do you have a test-device which is intentionally misconfigured which you wish to ignore failures for? Now you can filter down to only that device, and ignore all of its open failures with just a few clicks!

We are excited to see the use-cases you come up with to make your Kolide experience more efficient, informed and most importantly, actionable.

Improved Failure Recheck Tracking

One sore spot a few customers raised to us is that when you re-check a failure, we immediately consider it "re-checked", even before we got the answer from the device! Now when re-checking, Kolide only updates the timestamp when we actually hear from the device.


This is just the start of many other features we plan to release for Checks this year. Stay tuned!

Lost Mode Now Available on Linux Devices

Early in January, we introduced Lost Mode for Mac, a beta feature in which the security team and end-users can work together to locate a device that was either misplaced or stolen. We are now excited to announce this same functionality is now available on Linux devices!


Just like Lost Mode for Mac, this new feature survey's nearby WiFI Access Points to help determine the Linux device's precise geolocation. Also just like Lost Mode for Mac, we consider this an extremely sensitive operation which requires informed end-user consent each time it is used.

You can learn more about Lost Mode by reading our help article!

As always, please don't hesitate to reach out to us with feedback or questions! 

Wondering about Windows support? Well, a little birdie told me that we might have something to say about that before the end of March. Stay tuned!

New Feature - Control Device Data Collection

Kolide's Inventory feature is designed to collect, enrich, and visualize important data from enrolled devices. We built it to preemptively answer many essential questions administrators have about their devices that Osquery is well suited to answer.

Before adding new device properties to Inventory, we discuss their utility and privacy implications internally and proceed accordingly. Unfortunately, if our customers felt differently about these decisions in the past, they had little recourse to customize further what data was collected. 

After writing the "collecting data honestly" section in honest.security, we knew we had to do better. To that end, we are proud to announce new features that enable Kolide administrators to more finely control what data is collected and displayed within Inventory and the features that rely on it.

For instance, let's say you don't really want Kolide to enumerate the Chrome Extensions your users install. You can now browse to the Chrome Extensions section in Inventory and select Disable Device Property.

Since Inventory is the source of truth for many features in Kolide, like widgets and checks, a modal will appear, which will advise you on precisely which features of Kolide might be impacted, allowing you to make a value-driven decision around the collection of any particular category of data.

Besides providing opt-out capabilities, this feature will also allow Kolide to ship new Inventory device properties that require explicit opt-in from an administrator. Starting today, we support ARP Cache as our first opt-in Inventory property.

Privacy Center

As part of our efforts to increase transparency to end-users, we have overhauled the UI of the Privacy Center and included a list of the data collected from devices.


Wrapping Up

We are excited for our privacy-minded customers to take advantage of this feature and truly customize the data collection to a level they and their end-users feel comfortable with.

If you are interested in using it, we encourage you to read our Help Center guide before diving in, as it contains more information than we could possibly fit in this announcement post.

New Check - Silver Sparrow

On February 18th, Red Canary working with MalwareBytes broke the news that they had discovered a latent malware infection is as many as 30,000 Macs. They posted a detailed analysis online and dubbed this new threat Silver Sparrow.

What makes Silver Sparrow so interesting is that while the malware had the capability to do real damage, its final payload was never executed by its authors and operators. It is also one of the first variants of Mac malware in the wild that was compiled to run natively on Macs with Apple Silicon.

This Malware is already well-detected by commodity anti-virus solutions, and Apple has done its part to help stop the spread by revoking the development certificate used to sign the malicious installer.

While Kolide isn't intended to be used as a comprehensive malware detection platform, we often as a courtesy hunt for prolific threats on behalf of our customers. Based on the information we have today, it appears no Kolide customers have been infected by this malware.

Even so, out of an abundance of caution, Kolide has developed a simple Check to look for this malware and deployed it to each of our customers. 

Please let us know if you have any follow-up questions or concerns about Silver Sparrow, malware, or the Checks feature of Kolide. 

Untrusted Extension - The Great Suspender

Making the rounds recently on Twitter was a tweet concerning a popular Chrome Extension, The Great Suspender.

The thread outlines an all too common situation. The author of a once beloved Chrome Extension sells their ownership interest to a third party, who then updates the extension to include spyware. In the case of The Great Suspender, this potentially includes transmitting the end-user's browsing history, and even modifies the web pages you visit directly in the browser.

Luckily, the user community caught these changes in The Great Suspender and pressured the new owner to back these updates out. With that said, it may be only a matter of time before those same malicious capabilities might be deployed once again.

To that end, Kolide is shipping a new Evil Chrome Extension Check for this extension, preloaded with an end-user notification you can deploy to help your employees understand the situation, and uninstall the extension if it is present.

If you would like to know more about this specific extension, feel free to check out the best comprehensive article we've found on the subject on LifeHacker.

Show Previous EntriesShow Previous Entries