Device Properties
Device Properties allow you to view and report on additional properties about a device, such as installed software, settings, and other useful data.
What are Device Properties?
In addition to running checks, Kolide collects a number of useful data points about devices that can help both IT and security practitioners better understand the state of the device.
These properties are collected from the device via the Kolide agent approximately every two hours. Once collected, Kolide normalizes it and augments it with data from external sources. For example, Kolide reaches out to the CRXcavator service to obtain data for Google Chrome Extensions.
Available Properties
You can find a complete list of the device properties Kolide collects with detailed documentation and the schema associated with each property on the Kolide website.
The Kolide website provides complete documentation for each device property Kolide collects.
Each entry includes the following information:
- An overview explaining the property
- A detailed schema of the data collected by Kolide
- Rationale for collecting the data
- Example use-cases
- End-user privacy considerations
- Related device properties
An example of the documentation for Firefox Add-ons.
Viewing Properties
There are two ways to view Device Properties in Kolide:
For A Specific Device
To view the properties for a specific device, follow these steps:
Click the Devices menu item in the top-level navigation. Locate the device you want to modify and click it to view its details page.
In the navigation bar, click Properties.
Browse the list of properties and select the one you’d like to view by clicking on its card.
Once viewing a specific property, you can choose between viewing the data or the schema associated with the data.
Refreshing Data
Kolide collects most properties once every two hours when the device is online. To manually refresh data, simply click the Refresh Data button in the upper-right corner of the table.
Across All Devices
To view device properties across all devices, follow these steps:
- Click on Tools from the top navigation.
- Select Reporting DB.
- Browse the available properties in the sidebar and click one to scroll the page to that property’s documentation.
- Click Browse Table.
Querying Properties (Reporting)
About Reporting
In addition to viewing device properties, you can also query them using SQL through the Reporting feature.
Reporting provides raw access to the underlying data used to populate your Kolide account. This capability allows you to perform complex aggregations and joins across device properties that are not otherwise possible.
While this feature resembles Live Query, there are several important differences:
Unlike Live Query, data in Reporting is persistently available; you do not have to wait for a device to come online.
Data returned is the latest available but may be “stale” depending on the last time a device checked in, or when device property data was refreshed.
Reporting uses the PostgreSQL DB engine, unlike Live Query which uses SQLite.
Running a Query
When exploring device property data, there is often a button labeled Explore with SQL or Query Table to convert your current view into a query. Additionally, you can access the query composer by following these steps:
- Click on Tools from the top navigation.
- Select Reporting DB.
- Click the New Query button.
The query composer will open. From here, you can construct a query and run it.
Limiting Access
You can limit access to this feature both globally and per administrator by following the instructions in Using Kolide - Settings - Restrictions.