More Slack App Improvements and Settings

As a follow-up to our grace period announcement yesterday, we are excited to share more big improvements to the Kolide Slack app.

Failure Summary Options

Kolide only sends a failure summary to end-users when their devices are failing checks and only once every weekday to help reduce alert fatigue.

Sometimes though, getting a message every weekday can feel a bit much. Starting today, Kolide admins can pick the days of the week to send these messages. Whether it's reducing to just three days a week or implementing your very own #kolidefixfriday, we hope the additional flexibility helps you tune the right notification frequency for your company.

Additionally, it can be quite fatiguing to receive a notification for a device that has been sitting in a drawer for a few weeks. To help with that, we've introduced a new option that allows you to only notify users when the device has been seen recently.  We've found this so helpful in practice that we set the default threshold to 7 days or less, but you can choose whatever makes sense for your team.


While end-users won't receive a proactive notification for an offline device, they can still see them in their Kolide app home tab after clicking the Show Offline Devices button.

Escalation Options

In addition to the improvements above, we've shipped new settings options to configure failure escalations

Previously, when you set up the Kolide Slack app, admins could choose only one channel for all failure notifications, automatic escalations, and end-user help requests. With today's release, admins can now choose different channels for all three use cases, including directing user help requests to a dedicated channel where IT staff can more easily see them.

On top of that, we now offer greater customization of the Contact Admin for Help button in Kolide's Slack message. Admins can customize the reply we send users when this button is pressed, allowing for internal guidance — like how to submit an IT ticket. Messages can even include dynamic information from the notifications the end-user escalated!

We hope these help you better customize the Slack app experience for your end-users. Please let us know what you think!

New: Slack Notification Grace Period

Today, when a device fails a Check, Kolide immediately schedules a Slack message to be sent to an end-user during their next notification window (the next weekday afternoon in their local time).

For many Checks, this is desired; Kolide has caught a serious problem, and you want to let the user know about it quickly. Sometimes though, this approach can feel a bit punitive. For example, if Kolide detects a Windows device is missing an important update that was just released, you may want to give the user at least a few days to take care of the problem before triggering a reminder.

To help with this use case, we are excited to introduce a new feature called Notification Grace Periods. When a grace period is configured for a Check, Kolide will generate a failure as soon as it detects a problem but will hold the notification sent to the end-user until the grace period has expired. 

To configure a grace period, go to the Check's configuration page and ensure the Notify Device Owner strategy is selected. If it is, a new dropdown will appear where you can choose how many days you'd like Kolide to wait before notifying the end-user. When the grace period expires, we will notify them during their next notification window.

We highly recommend choosing a delay on any checks where the user's failing state is temporary and will likely be resolved by the end-user within a few days. The Windows and macOS missing important update Checks are great candidates for this new feature.

To help admins better understand the state of a Failure with a grace period, we updated the failure details sidebar to show when the end-user was first notified and when Kolide first detected it. We've also added the first notified time to the table view and the failures API as first_notified_owner_at

While we do not proactively notify end-users about failures in the grace period, we still allow motivated users to see these failures if they wish when interacting with the Kolide Slack app. If a user has failures that meet this requirement, they will see an option to view those failures in their Slack app home tab, or when they type the status command.

We hope you find this new feature useful. As always, we welcome your questions and comments.

New Check: Windows Important Updates Missing

After many weeks of research and engineering, we at Kolide are very proud to announce the immediate availability of several new Windows-based features:

  • Device Check: Windows Important Updates Missing
  • Device Detail Page Widget: Windows Update
  • Inventory Item: Windows Pending Updates

Windows Important Updates Missing

This new Check enumerates important Windows updates that have not been installed within 2 days of becoming available.

While building this check, data accuracy was considered paramount. We did not want to return information about updates that did not apply to the device or were already installed. To achieve this specificity, we upgraded Kolide's agent to directly communicate with the Windows Update API, ensuring that the pending updates returned are always relevant and accurate for each device. This also means as soon as updates are installed correctly, they will disappear the next time we query the API.

Another top priority was to ensure that any failures we generated were only for important updates. Important to us means significant updates with security mitigations, anti-malware signatures, updates with high-criticality, or updates that reference bug fixes. If Kolide generates a failure for a missing update, you can bet it's going to be one that your users should install.

Finally, we wanted to go above and beyond when generating the step-by-step instructions for end-users and ensure that the titles for the updates match the titles in the Windows Update UI, even if they are in a different language.

Inventory and Widgets

To round out this new capability, we wanted to offer more than just an opinionated check. We also wanted to visualize information about Windows Update's configuration and provide our customers with information about all available updates (not just the important ones).

To that end, we've created the following Widget, which will now appear on all of your Windows Devices!

Additionally, if you're the type that wants to see all your data in one big table, you can review all pending Windows updates (including optional updates) in our new Inventory: Windows Pending Updates.

Or review the Windows Update Agent configuration in the new Inventory: Windows Update Config to find individuals who haven't scanned for updates in over a week whose updates are paused.

Reporting

If you are participating in our Reporting beta, you will also have access to all of this new inventory data in a queryable database. You can use this capability to perform aggregate queries (like counting data across devices) on data stored in Kolide's Inventory.

Location Services Check & Inventory

In the new Osquery 4.7.0 release (which is now automatically distributing to all of our customers), we contributed a new macOS table called Location Services. This table simply determines the status of a Mac's Location Services API, which can be adjusted by the end-user in System Preferences and within the Security & Privacy preference pane.

Without Location Services, several critical features like Find My Mac will not work correctly. To help our customers determine the status of Location Services, we are excited to introduce several features designed to take advantage of this new table as well as other work we've done in Kolide's agent.

New Check: Location Services Disabled

The Location Services Check allows our customers to track which Macs have Location Services disabled, and reaches out to end-users to turn the setting back on.

New Widget & Inventory

In addition to the Check, we've gone the extra mile to not just simply report on the global state of the Location Services, but to also enumerate the state of its advanced settings and the apps that requested (and were perhaps granted) a Location Services entitlement. 

The new Location Services widget will list all known apps and services that have requested entitlement to Location Services. If the status light is green, that means the entitlement was granted, and if the compass pin is present, it indicates location was accessed in the last 24 hours.

In addition to the widget, you can also peruse both the state of System Services and the Authorized Apps in Inventory.

If you find yourself not interested in collecting information about Location Services, you will be pleased to learn that you can now opt-out of any of Kolide's data collection, right from the the relevant Inventory screens!

Reporting Beta

For those of you who are participating Reporting SQL DB beta, you'll be happy to learn all of the new information regarding Location Services is now fully documented and available to query.

The New Global Failures View

You may have recently noticed a new top-level navigation option, Failures, in Kolide. We'd love to take a few minutes to walk you through this new Failures view, along with other improvements we made as a part of this feature's release.

One Place To View All Of Your Check Failures

In the UI, when a device fails a check, the information about that failure could be found in that particular Check's details page or on the Device's failure overview page.

Now, there is a third place to view this failure data across all checks and all devices.

Having this data in one place enables several compelling use-cases:

  • Organizing failures by tag (for example: "Show me all failures that belong to a Check with the Critical tag)
  • Searching across all failure metadata for keywords (ex: looking for the word "prod" might bring up some interesting results for failures belonging to more than one check)
  • Locating failures, devices, and people where end-users may be ignoring the notifications from Kolide.

Data and UI Consistency

While building this feature, we wanted to ensure the way we were showing failure data across different contexts was going to be consistent (even CSV exports). We also wanted to make sure the ability to filter and traverse the various failure states were preserved, no matter what part of the UI you were in.

The "Total" Tab - Viewing All Failures

In the spirit of giving administrators the most flexibility when filtering, sorting, and searching failure data, we've created a new tab called Total which allows you to see all failures, regardless of the failure's actual state.

This new view allows you for the first time, to see the entire posture (past and present) for a given device or device-owner. In a single screen, you can see all the Checks that are failing, have failed or are currently being ignored! 

Likewise, you can use all of your favorite mass-actions to quickly address a variety of use-cases that before necessitated wading into individual Check screens. For example, do you have a test-device which is intentionally misconfigured which you wish to ignore failures for? Now you can filter down to only that device, and ignore all of its open failures with just a few clicks!

We are excited to see the use-cases you come up with to make your Kolide experience more efficient, informed and most importantly, actionable.

This new view allows you for the first time, to see the entire posture (past and present) for a given device or device-owner. In a single screen, you can see all the Checks that are failing, have failed or are currently being ignored!

Likewise, you can use all of your favorite mass-actions to quickly address a variety of use-cases that before necessitated wading into individual Check screens. For example, do you have a test-device which is intentionally misconfigured which you wish to ignore failures for? Now you can filter down to only that device, and ignore all of its open failures with just a few clicks!

We are excited to see the use-cases you come up with to make your Kolide experience more efficient, informed and most importantly, actionable.

Improved Failure Recheck Tracking

One sore spot a few customers raised to us is that when you re-check a failure, we immediately consider it "re-checked", even before we got the answer from the device! Now when re-checking, Kolide only updates the timestamp when we actually hear from the device.


This is just the start of many other features we plan to release for Checks this year. Stay tuned!

New Check - Silver Sparrow

On February 18th, Red Canary working with MalwareBytes broke the news that they had discovered a latent malware infection is as many as 30,000 Macs. They posted a detailed analysis online and dubbed this new threat Silver Sparrow.

What makes Silver Sparrow so interesting is that while the malware had the capability to do real damage, its final payload was never executed by its authors and operators. It is also one of the first variants of Mac malware in the wild that was compiled to run natively on Macs with Apple Silicon.

This Malware is already well-detected by commodity anti-virus solutions, and Apple has done its part to help stop the spread by revoking the development certificate used to sign the malicious installer.

While Kolide isn't intended to be used as a comprehensive malware detection platform, we often as a courtesy hunt for prolific threats on behalf of our customers. Based on the information we have today, it appears no Kolide customers have been infected by this malware.

Even so, out of an abundance of caution, Kolide has developed a simple Check to look for this malware and deployed it to each of our customers. 

Please let us know if you have any follow-up questions or concerns about Silver Sparrow, malware, or the Checks feature of Kolide. 

Untrusted Extension - The Great Suspender

Making the rounds recently on Twitter was a tweet concerning a popular Chrome Extension, The Great Suspender.

The thread outlines an all too common situation. The author of a once beloved Chrome Extension sells their ownership interest to a third party, who then updates the extension to include spyware. In the case of The Great Suspender, this potentially includes transmitting the end-user's browsing history, and even modifies the web pages you visit directly in the browser.

Luckily, the user community caught these changes in The Great Suspender and pressured the new owner to back these updates out. With that said, it may be only a matter of time before those same malicious capabilities might be deployed once again.

To that end, Kolide is shipping a new Evil Chrome Extension Check for this extension, preloaded with an end-user notification you can deploy to help your employees understand the situation, and uninstall the extension if it is present.

If you would like to know more about this specific extension, feel free to check out the best comprehensive article we've found on the subject on LifeHacker.

We Have Updated Our FileVault Mac Check

Until today, Kolide has leveraged Osquery's disk_encryption table to report the Full Disk Encryption status of macOS in our check labeled "FileVault2 Primary Disk Encryption". 

However, we have discovered that Osquery considers the built-in SSD on M1 Macs and Macs with the T2 Secure Enclave to be "encrypted", even though their files can be trivially accessed by anyone with physical possession of the device without the user's password. Enabling FileVault is the only sure way to protect the data on your Mac.

Since our FileVault check was created to help our customer's ensure the data on their Macs are safe in the event the device is stolen, lost, or otherwise in the possession of an bad-actor, we have taken the following corrective actions:

  1. We have released a new version of our Kolide agent (0.11.17) which contains an accurate attestation about the status of FileVault
  2. We have updated our Check to utilize the new features of our agent.
  3. Since the latest release of Osquery is unable to obtain the status of FileVault, we have contributed our own patch for the benefit of the community.
  4. We have written an informative blog post about this situation to better educate Mac Admins who might be unfamiliar with the differences between Full Disk Encryption and FileVault on modern Macs.

We feel that these actions will better help not only Kolide customers, but anyone else who relies on Osquery for similar information.

As always, please let us know if you any follow-up questions or concerns.

Recently Discovered Evil Chrome Extensions

On December 16th, Threat Intelligence researches from Avast discovered several browser extensions that contained privacy invading malware. Read the press release here. 

In the press release, Avast summarizes the embedded malware's capabilities in the following paragraph.

Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit. User’s privacy is compromised by this procedure since a log of all clicks is being sent to these third party intermediary websites. The actors also exfiltrate and collect the user’s birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user).

In response, Kolide has created a new Check called Evil Chrome Extension - Browser History Sniffer which detects all reported compromised Chrome extensions from the Avast report.  We suggest immediately enabling end-user notifications on this Check.

If users have one or more of any extensions, they will receive a notification that looks like the following:

If you have any questions or concerns about this check, please reach out to us at support@kolide.co or via the Intercom widget on the bottom-right corner of the Kolide  application.

For your convenience, below is a list of the Chrome Extension identifiers extracted from the links in the press release.

mdpgppkombninhkfhaggckdmencplhmg
fgaapohcdolaiaijobecfleiohcfhdfb
iibnodnghffmdcebaglfgnfkgemcbchf
olkpikmlhoaojbbmmpejnimiglejmboe
bhfoemlllidnfefgkeaeocnageepbael
nilbfjdbacfdodpbdondbbkmoigehodg
eikbfklcjampfnmclhjeifbmfkpkfpbn
pfnmibjifkhhblmdmaocfohebdpfppkf
cgpbghdbejagejmciefmekcklikpoeel
klejifgmmnkgejbhgmpgajemhlnijlib
ceoldlgkhdbnnmojajjgfapagjccblib
mnafnfdagggclnaggnjajohakfbppaih
oknpgmaeedlbdichgaghebhiknmghffa
pcaaejaejpolbbchlmbdjfiggojefllp
lmcajpniijhhhpcnhleibgiehhicjlnk

Kolide Side Dishes

At Kolide, we typically ship changes and improvements to the product multiple times a day. The vast majority of these changes are modest improvements not worthy of their own change-log post, but together, they can make a big difference.

While we are working on some 25-pound-turkey sized features we plan on announcing soon, we thought we'd let you dig into some of these side-dishes first! Enjoy.

UX Improvements

Tools Menu

Depending on your level of access to Kolide, you may notice a new item in the main navigation called "Tools". This menu now houses all of the useful features of the product that don't quite need top-billing, but also do not belong in the "settings" section of the website.


Speaking of tools, the "Reporting DB" feature listed here is a feature we are currently beta testing with a few customers. If you are interested in being able to programmatically access all of the data we collect about a device in inventory, and eventually build your own reports on that data with SQL, please reach out to us via Intercom or support@kolide.co and we'd be happy to include you in our next round of testers!

Log Pipeline

The biggest change here is Log Pipeline, a feature that allows you to unlock the full power of the osquery daemon we deploy in the Kolide agent. This feature is now easier to find and users with access to it can also access other related features like creating FIM categories, configuring osquery options, and setting up your own custom decorators! 

As users of the Log Pipeline ourselves, we think all these items living together is a much more intuitive experience. Let us know what you think!

Improved Context For Slack Notifications

When an end-user successfully fixes a failing check, Kolide shows them a congratulatory message. Sometimes though, depending on the timing of the message, or where the message appeared, there might be some confusion about what device this message is referencing.

After a customer pointed this out, we decided to add some additional context to these messages so it's always clear which device Kolide is congratulating you about!

Search By Device and Person ID

If you are a regular user of our API (or are just really good a remembering numbers you see in your browser's location bar), you may have tried to lookup a device or person by their Kolide generated ID in our global search bar. Starting today, searching for both devices or people by their ID will now function as you would expect!

Performance Improvements

Live Query

If you are a regular user of Live Query, you may have noticed that devices now return up to 10x faster after querying them, and present any informational warnings or errors without requiring a page reload! Kolide now better leverages websockets to deliver this information at a much faster pace.

Device CSV Exports

We had reports from several customers that exporting the list of devices via CSV could take a long time. After investigating the issue we were able to improve the speed of this export by over 100x!

Improved User To Device Association

We've made some changes to how we build custom package and optimized our initial device data population routines to improve the accuracy and the speed in which we are able to assign users to a device. Additionally, the file names we generate for the custom packages are also now much shorter!

API Changes

Based on a customer request, we've now added a product_image_url following field to the device API endpoint. In many cases (and in all cases on Apple products), this new field features the visage of the exact hardware model enrolled in Kolide. For those of you creating your own internal experiences, these device images can help give you and your end-users the confidence that they are viewing the right device.

Speaking of product images, we've also now added updated product images for all of the new M1 Macs released by Apple earlier this months, and we've changed many of the icons on the widgets featured in the device detail pages to match the changes in macOS Big Sur!

On the log pipeline side, we've also now added the remote_ip, device_owner_email, and device_owner_type, to the kolide_decorations object in the logs emitted by our product in the log pipeline. This will allow you to easily correlate device activity with specific individual for potential integrations with IDP and authentication services.

We at Kolide hope you are all having a safe, healthy, and joyful holiday season. As always, please reach out with suggestions and feedback. Many of the improvements here were generated from customers just like you!

Show Previous EntriesShow Previous Entries