LevelBlue Agent and Asset Associations

Role Availability Read-Only Investigator Analyst Manager

If you use a single asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. installation script, the USM Anywhere universally unique identifier (UUID) for the selected asset is incorporated into that script. During the installation process, the deployed LevelBlue Agent registers with your USM Anywhere instance, makes the asset association, and updates the operating system (OS) name and network interface information on the asset.

If you use a multiple asset installation script to execute bulk deployment across multiple host systems, the resulting installation will create a random UUID for the agent installation (see LevelBlue Agent IDs for more information on UUIDs). For Linux hosts, USM Anywhere attempts to associate the agent with an existing asset based on Amazon Elastic Compute Cloud (EC2) instance metadata gathered from the endpoint. Before installing the agent on a Linux host, LevelBlue recommends that you perform an asset scan. This way, USM Anywhere will have identified the asset and can automatically associate the asset with the agent.

Important: For Linux agents not running on EC2 instances, or any Microsoft Windows or Apple macOS agents, the agent must be associated to an existing or new asset through the Associate Agents With Assets page before you use the multiple asset installation script.

After successfully deploying the agent on a host, the agent sends heartbeat events every 10 minutes until an asset is associated. These heartbeat events include basic information about the host system, including network interfaces and IP address as well as the asset ID if one is available.

Note: The heartbeat events are important for monitoring LevelBlue Agent connectivity. It is important that you do not create any filtering rules to remove these notifications. If you don't want to see heartbeat events, LevelBlue recommends that you create a suppression rule instead.

Important: An agent is considered offline if it has not reported at least one heartbeat in the last 12 hours.

You cannot enable queries and log collection for the host system until a deployed agent has an associated asset in USM Anywhere. If an agent has not received an association automatically, you must make one manually. The Agents page (Data Sources > Agents) displays an alert when there are one or more unassociated assets, and provides tools designed to help you associate these agents with assets. It provides a list of suggested assets for selection and an easy way to create a new asset using the information provided by the agent.

The Agents page displays an alert for unassociated agents

When you see this alert, click Associate Agents with Assets to open the Associate Agents With Assets page and complete the association.

Review the list of unassociated agents

Note: Unassociated agents will disappear from the Agents page if they have not been associated with an asset for five consecutive days.

Associate or Unassociate the LevelBlue Agent with an Existing Asset

To associate an agent with an existing asset, you can allow USM Anywhere to suggest a matching asset. If the suggested asset is incorrect, manually search and select the correct existing asset to associate it with the agent.

Important: There is currently no way to remove the association between an LevelBlue Agent and an asset. If you need to change an association, you must uninstall the agent on the host system, redeploy the agent, and then make the new association as needed.

To make an association to an existing asset

  1. In the row for the unassociated agent, click Associate Agent with Asset.

    The dialog box displays a list of one or more suggested asset matches if USM Anywhere is able to locate potential matches in the asset library.

  2. Select an asset for the agent:

    • If one of the suggested assets is correct, select the asset.

    • If the correct asset is not displayed or there are no suggested assets, enter part of the name or IP address of the asset in the Search field to display matching items and select the asset you want.

      Select an asset for the agent

    • You can also click Browse Assets to open the Select Asset dialog box and browse the asset list to make your selection.

      If you are unable to locate the correct asset and determine that it does not currently exist in the asset inventory, click Create a New Asset to generate a new asset for the agent.

  3. Click Save.

    A confirmation dialog box opens.

  4. If you want to view the Asset Details page for the associated asset, click View Asset.

    Otherwise, click Cancel to close the dialog box and return to the Associate Agents with Assets page.

To remove the link between an asset and an agent

  1. Go to Data Sources > Agents.

    Main Agents page with the message for removing the link between an asset and an agent

  2. Click Unassociate Assets.

    3. The link between the asset and the agent is removed.

    Note: When an asset is deleted, all of its associated LevelBlue Agents automatically become unassociated.

Create New Assets for the Association

You can automatically create an asset for one or more selected LevelBlue Agents if an asset for that agent does not already exist in the asset inventory. When USM Anywhere creates a new asset for the agent, it uses the hostname value for the asset name. After creation, you can modify various asset details as needed. See Editing Assets for more information.

To create new assets for unassigned agents

  1. Select the checkbox in the row for each agent where an asset does not already exist in the asset inventory.

    Select the checkbox at the top if you want to create new assets for all of the listed agents.

  2. At the upper right of the page, click Create New Assets.

    Create new assets for the selected agents

    A confirmation dialog box opens.

  3. Close the dialog box to return to the Associate Agents with Assets page.