OmniSight Docsv1.2.2

Console Guide

The OmniSight Console is the local web UI for monitoring agents, reviewing network events, managing users, checking entitlement/update state, and opening approved remote terminal sessions.


Access

ContextURL
Server Machttps://localhost:52443
LAN deviceshttps://<server-lan-ip>:52443

The installer prints the initial admin credentials once and stores them in /usr/local/omnisight/server/.admin_credentials.


Pages are gated by capability-based RBAC.

UI capabilityInternal permissionWhat it grants
dashboarddashboard:readDashboard and charts
agentsagents:readAgent list and details
agents_manageagents:manageAgent display-name updates and agent removal
agents_deployagents:deployAgent deployment workspace
agents_remote_terminalagents:remote_terminalRequest and close terminal sessions
agents_remote_approveagents:remote_approveApprove terminal sessions
agents_remote_connectagents:remote_connectReserved remote-connect capability
eventsevents:readEvents investigation
alertsalerts:readAlert queue, evidence, rules, and summary visibility
alerts_managealerts:manage plus alert-read inheritanceAlert evaluation, verdict, status, assignment, notes, rule toggles, suppression and maintenance-window management, and Alerts workspace access
audit_logsaudit:readAudit logs
users_manageusers:manageUsers, system status, storage retention, updates, support hub
notifications_managenotifications:manageEmail and webhook alert notification administration

Admin users have all capabilities. Analysts can manage alerts and review audit evidence. Viewers are read-oriented.

Reports reuse existing permissions instead of introducing a separate report capability. Summary preview requires dashboard; Events CSV export requires events; Alerts CSV export requires alerts.


Dashboard

The dashboard uses the refreshed operational layout from the current release line. It combines resilient REST polling with realtime nudge signals and visible freshness state. Current operator surfaces also include Dashboard Custom ranges, Charts All time, and the single healthy Live/cadence affordance shared across Dashboard, Agents, and Alerts.

It shows:

  • summary cards for active/effective online agents, latest events, hourly event volume, and open alerts
  • the existing real time-range selector
  • a freshness strip with last-updated time, manual Refresh, and live/reconnecting state
  • System Health for the local server and fleet
  • hourly event chart
  • top processes
  • top destinations
  • open alert pressure with critical, high, and unassigned counts when Alerts permission is available
  • web HTTP/S connection classifications when available
  • onboarding, entitlement, and update status cards when applicable

Agent status uses effective status. A stale raw online row becomes effectively offline once the heartbeat age crosses AGENT_OFFLINE_THRESHOLD_MINUTES.

Dashboard-only users can still load fleet-level dashboard metrics and charts. The Latest Events card shows a neutral no-permission state unless the user also has events.

System Health shows aggregate host metrics:

  • Local Server CPU, memory, disk, network throughput, and best-effort temperature
  • Fleet Health per-agent CPU, memory, and network throughput
  • live, stale, and unavailable states

Dashboard and Agents fleet views use throttled realtime nudges plus REST polling fallback, so one high-frequency diagnostic agent does not fan out unnecessary refreshes across the whole console. Agent Detail subscribes to the selected agent channel and refreshes metrics-only data at that agent's effective interval during diagnostic mode, while metadata and Recent Events stay on a normal cadence.

Network throughput is derived from cumulative byte counters, so the first sample, a counter reset, or a boot change may show an unavailable rate instead of a misleading value.

The dashboard privacy note is intentionally explicit: the page uses aggregate operational metadata only and does not show packet payloads, HTTP bodies, cookies, decrypted TLS contents, command lines, credentials, or secrets.


Agents

The Agents page shows enrolled endpoints.

Agent list fields:

  • Agent ID
  • Agent name
  • Hostname
  • OS
  • Last seen
  • Effective status
  • Health summary when system metrics are available

Agent detail includes:

  • hostname, OS, architecture, IP address
  • agent name
  • remote terminal support
  • remote desktop support flag
  • remote-control channel connection state
  • System Metrics panel with aggregate CPU, memory, disk, network throughput, and best-effort temperature
  • Metric Interval panel for fleet default inheritance, per-agent override, and time-limited diagnostic sampling when the user can manage agents
  • Protocol Metadata (DNS) panel for enabling per-agent DNS query metadata on Linux agents when the user can manage agents; the control is shown as Linux-only and stays inert on other platforms
  • recent events
  • terminal action controls when permitted and supported

DNS protocol metadata is off by default. When enabled on a Linux agent, dns_query events carry query name, query type, response code, and answer count. The agent derives this metadata in memory from bounded DNS traffic and discards raw bytes; packet payloads are never stored or transmitted.


Deploy Agent

The current console Deploy Agent workspace is macOS invite based.

For eligible split packages:

  1. Create a macOS invite.
  2. Choose architecture: auto or Apple Silicon for current customer packages.
  3. Download the public OmniSight Agent Installer app.
  4. Paste the invite URL into the app on the target Mac.
  5. Watch recent install sessions for claimed/started/succeeded/failed lifecycle events.

The normal path intentionally avoids browser downloads from https://<LAN-IP>:52443 because other devices may not trust the local CA. The invite manifest delivers CA trust to the agent runtime instead.

Legacy .command launcher:

  • hidden from the normal path
  • available only behind an explicit troubleshooting fallback control
  • intended for support/rollback cases

Combined Starter blocks Deploy Agent because that package installs the server and local agent together on one computer.


Remote Terminal

Remote terminal is available for packages that include it, currently all packages except base Starter combined.

Requirements:

  • REMOTE_ACCESS_ENABLED=true on the server
  • agent is effectively online
  • agent advertises remote_terminal_supported=true
  • remote-control websocket is connected
  • user has agents_remote_terminal
  • approval user has agents_remote_approve

Workflow:

  1. Open an agent detail page.
  2. Click Terminal.
  3. Enter an operational reason with at least 8 characters.
  4. Request and approve the session.
  5. The browser connects to the terminal websocket.
  6. Close the session from the UI when finished.

Linux safety behavior:

  • root-running Linux agents do not open root shells by default.
  • remote_terminal_user must be a non-root local account.
  • remote_terminal_user=root is rejected.

Remote desktop/RDP:

  • shown as planned/unsupported where surfaced
  • no desktop session routes exist in the current server
  • implementation is Phase 2

Events

The Events page is a command-driven search workspace for endpoint telemetry. It is designed to feel familiar to SIEM operators while staying limited to OmniSight's metadata-only event model.

Search controls:

  • query editor
  • time range picker
  • Run Search button
  • manual refresh
  • URL-backed query, time range, and page state

Default time range is Last 24 hours. Presets include 15m, 1h, 24h, 7d, 30d, All, and Custom. Searches run only after an operator command; the page does not continuously poll and mutate results in the background.

Supported physical fields:

  • id
  • agent_id
  • timestamp
  • event_type
  • direction
  • local_ip
  • local_port
  • remote_ip
  • remote_port
  • protocol
  • process_name
  • pid
  • domain
  • org

The left Fields panel shows populated field counts for the active query and time range. Expanding a field loads the most common values for that field in the current result set. Selecting a value adds or replaces the matching clause and runs the search.

Saved searches let operators preserve repeatable investigations. Users with events can create, apply, rename, and delete their own private searches. Users with alerts_manage can also create and manage shared searches that are visible to other operators.

Supported operators:

text=  !=  >  >=  <  <=

Comma-separated and space-separated clauses are treated as AND:

textevent_type="connection_close", remote_port=443
process_name="brave browser helper" direction="outbound"
timestamp>="15.06.2026"
remote_ip="18.97.*"

Useful aliases:

  • time maps to timestamp
  • agent matches agent UUID, name, or hostname context
  • local="IP:port" maps to local_ip and local_port
  • remote="IP:port" maps to remote_ip and remote_port

Common event types include connection_open, connection_seen, connection_close, dns_query, web_http_connection, and web_https_connection. Web HTTP/S events represent endpoint connection metadata, not decrypted browser requests or payloads. On Linux agents with Protocol Metadata enabled, dns_query events also include DNS query type, response code, and answer count metadata.

Results are displayed as an expandable event stream. Each collapsed row highlights timestamp, event type, direction, process, local endpoint, remote endpoint, protocol, domain, and organization when available. Expanding a row shows all event fields and the raw JSON payload.

OmniSight does not collect HTTP request bodies, response bodies, cookies, browser headers, decrypted TLS content, or packet payloads.


Alerts

The Alerts page turns endpoint telemetry and inventory findings into a dense SOC/admin triage queue.

Current built-in detections include:

  • cleartext HTTP traffic observed from endpoint web telemetry
  • high or critical CVE findings from software inventory matching

The alert workspace supports:

  • compact summary cards for open, critical, high, true-positive, and unassigned alerts
  • quick filters and full filters for triage and evaluation
  • two-column list/detail workflow for the active alert queue
  • a single healthy Live/cadence affordance shared with the rest of the console
  • Detection Rules panel for enabling/disabling built-in rules and creating/editing/deleting custom detection rules
  • reusable rule templates for common SIEM patterns such as DNS tunneling candidates, beaconing, exposed SSH, outbound remote access, cleartext HTTP CLI use, and high-volume HTTPS exfiltration candidates
  • side-effect-free rule preview before save
  • automatic MITRE ATT&CK tactic/technique mapping from rule metadata, with template and manual override modes
  • linked evidence table with event time, type, process, remote endpoint, and organization/domain context
  • status workflow: open, in_progress, closed
  • verdict workflow: true_positive, false_positive, benign, expected_activity, duplicate, insufficient_data
  • owner workflow: assign to me, assign to another eligible analyst/admin, or clear assignment
  • notes appended during status/verdict/assignment changes
  • 1-hour, 24-hour, and 7-day snooze controls for selected alerts
  • active and historical suppressions that pause matching alert updates or creation
  • global or rule-scoped maintenance windows for expected noisy periods, grouped below the primary triage surface
  • suppression deactivation from the same workspace when monitoring should resume

Suppression history distinguishes active, expired, and manually disabled rows. Read-only Alerts users can review history, while maintenance-window creation and suppression deactivation require alerts_manage.

The Alerts workspace keeps long evidence and context panels scroll-safe, and the bounded-metadata privacy note stays visible so operators know the UI does not expose packet payloads, HTTP bodies, headers, cookies, decrypted TLS contents, command lines, credentials, or secrets.

Assignment changes are recorded in audit metadata with previous and next owner IDs.


Charts

Charts use dashboard data and IP enrichment. Public IP enrichment is enabled by default, and private/internal addresses are skipped by default. Current release-line controls include All time and custom ranges where the page exposes them.

Views include:

  • hourly events
  • top processes
  • top destinations
  • geographic stats

Private IPs are skipped by enrichment by default.


Reports

The Reports page creates SOC-ready summaries and operator-controlled exports.

Current report types:

  • Daily: last 24 hours
  • Weekly: last 7 days
  • Custom: operator-selected start and end timestamps

Summary preview includes:

  • report time range
  • generated timestamp
  • event volume
  • alert totals by severity and status
  • top event types
  • top destinations

Export behavior:

  • Events CSV export preserves the active Events query and time range context.
  • Alerts CSV export supports status and severity filters.
  • Browser print / Save as PDF creates a print-ready report from the preview.
  • Schedules can be created, disabled, manually run, and deleted by administrators.
  • One-off email reports send the same aggregate SOC summary without creating a schedule.

RBAC behavior:

  • dashboard users can preview summaries.
  • events users can export Events CSV.
  • alerts users can export Alerts CSV.
  • users_manage users can manage schedules and send one-off report emails.

Exports are bounded and audit-backed. CSV cells are hardened against spreadsheet formula injection. Email delivery uses OmniSight Cloud Relay and sends aggregate SOC summary metrics only; raw event rows, CSV attachments, report bodies, delivery credentials, tokens, database contents, and secrets are not sent through the relay.


Notifications

The Notifications page uses notifications_manage for email and webhook alert delivery administration.

Current controls include:

  • recipient management and delivery settings for email alert notifications
  • webhook endpoint management for bounded alert metadata delivery
  • test-send, delivery history, quiet hours, cooldown/deduplication, and daily limits

Notifications and webhooks send bounded alert metadata only. They do not include raw events, packet payloads, HTTP bodies, headers, cookies, decrypted TLS contents, command lines, endpoint files, credentials, tokens, environment values, or secrets.


Vulnerabilities

The Vulnerabilities page combines endpoint software inventory with vulnerability intelligence matching through managed OmniSight services.

Views include:

  • vulnerability summary by severity
  • matched CVEs for installed software
  • software inventory by endpoint
  • scan-first CVE rows with stable CVE ID, severity, CVSS, and software columns
  • CVE metadata including severity, CVSS score, published date, and affected package/version context when available
  • a Details action that opens full raw NVD JSON for the selected CVE

The table keeps descriptions as previews for scanability; use Details -> View when an analyst needs the full NVD record. The agent reports software inventory metadata. OmniSight does not upload files, inspect application contents, or capture endpoint payloads for vulnerability matching.


Storage & Retention

Users with users_manage can review and maintain managed local storage from the dedicated Storage & Retention sidebar page.

The Storage & Retention page shows:

  • database size
  • WAL size
  • server log size
  • agent log size
  • native update rollback backup size
  • managed total
  • free disk
  • retention settings for events, audit rows, request audit rows, logs, and update backups
  • inline explanations for each usage metric

Manual cleanup can prune old retention-bound rows, rotate/gzip logs, checkpoint SQLite WAL, and prune eligible native update rollback backups. The newest configured update backups are retained for rollback safety. Cleanup shows running, completed, failed, skipped, or interrupted state and polls while a run is active so the UI does not stay stale.

The compact database action runs SQLite compaction only after a free-space safety preflight. It is skipped with a bounded reason when the preflight does not pass.

Storage maintenance reports bounded counts and sizes only. It does not expose file contents, log contents, database rows, certificates, environment values, or secrets.


Support

Users with users_manage can open the Support page from the sidebar.

The Support hub provides:

  • Resource Hub links to documentation and guides
  • local deployment status, including version, runtime mode, and disk used/total
  • a copy-safe Support Context panel with bounded, non-secret deployment metadata for email support
  • Open Ticket and email actions targeting info@omnisight.info

The copied support context includes only bounded values such as version, runtime mode, and aggregate disk/storage sizes. It excludes logs, payloads, headers, tokens, secrets, environment values, database contents, and protected files.


Audit Logs

Audit logs record authentication, administrative changes, enrollment, install sessions, update apply, entitlement refreshes, and remote terminal lifecycle. Routine internal HTTP request traces are not shown here.

Important alert actions:

  • alert.evaluation.run
  • alert.rule.updated
  • alert.updated

Important remote terminal actions:

  • remote_access.session.requested
  • remote_access.session.approved
  • remote_access.session.started
  • remote_access.session.closed
  • remote_access.session.kill_requested

Important agent/install actions:

  • agent.deploy_token.generated
  • agent.deploy_token.denied
  • agent.install_session.created
  • agent.install_session.revoked
  • agent.enrollment.success
  • agent.enrollment.denied
  • agent.updated
  • agent.deleted

Audit entries include timestamp, actor, action, resource, status, IP address, and details.


Users

Users with users_manage can:

  • create users
  • assign capabilities
  • delete users
  • update permissions

The permission editor exposes every current OmniSight capability, including agent management and remote-control capabilities. Permission badges use readable labels instead of raw capability IDs.

Generated passwords are shown once. Password changes invalidate the changed user's active sessions and refresh tokens.

The first installed admin is the root administrator and cannot be removed by other users.


System Status

Administrators can inspect:

  • entitlement status
  • runtime capabilities
  • update status
  • onboarding status
  • available update artifacts
  • available agent artifacts

The server caches signed entitlement leases locally. A manual entitlement refresh is available when billing state or network connectivity has just changed.


macOS Menu Bar App

The macOS menu bar app launches with native installs.

Current behavior:

  • polls the local authenticated /api/system/menubar-status endpoint when configured
  • falls back to local compatibility reads only for legacy config compatibility
  • refreshes approximately every 10 seconds
  • shows server/fleet status and quick links

This API-first approach supports the current system LaunchDaemon service model while keeping user-visible status and update approval in the macOS session.