LevelBlue Agent Configuration Profiles

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes out-of-the-box LevelBlue Agent configuration profiles to manage the queries that it runs for an asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. associated with a deployed agent. For each configuration profile, you can view the list of queries, a description of the collected logs, and the query frequency. Depending on your needs, you can change the default configuration profile so that you collect the log data and generate the events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall. for the newly deployed agents.

USM Anywhere provides two configuration profiles for each of the agent deployment types: optimized and full. There are both preferable and less-than-preferable data security and data consumption reasons for choosing either configuration profile. Use the following information to help you determine which configuration profile works best for your setup.

In the Configuration Profiles view, you can click the individual profile name to display the queries executed by the agent and their frequencies. If you are looking for a specific type of log, enter text in the Search field, and then click the icon to filter the query list.

Note: An agent event named "Outbound Connections" indicates that the agent found an open socket with an external IP address. LevelBlue recommends that you check the firewall logs to find matching events that can help clarify the communication process.

If you want to see the specific file paths included in the profile's file integrity monitoring (FIM), click the File Integrity tab to display these paths by category.

Note: Currently, the Windows FIM paths are as follows:

C:\Windows\System32\drivers\etc\hosts

C:\autoexec.bat

C:\config.sys

C:\boot.ini

More Windows FIM paths will be added in future updates.

To display the agent configuration profiles

  1. Go to Data Sources > Agents.
  2. Click Configuration Profiles.
  3. Review and select the configuration profile you want to use by default.

    Important: The Experimental Profiles are temporary and internal. Do not use them unless you have instructions from the LevelBlue Technical Support department.

Assign LevelBlue Agent Configuration Profiles to Assets

You can assign a specific LevelBlue Agent configuration profile to an asset from the assets list page or asset details page.

To assign an agent profile using the actions list

  1. Go to Environment > Assets.
  2. Select the asset, and then click Actions > Assign Agent Profile.
  3. Select the agent profile you want to assign to the selected asset.

    Configure Assets dialog box

  4. USM Anywhere displays an informative message if assets exist but do not have agents deployed.

  5. Click Save.

To assign an agent profile from the Asset Details page

  1. Go to Environment > Assets.
  2. Locate the asset and click the icon next to name of the asset you want to assign the specific agent configuration profile, and then select Full Details.
  3. Click Agent.
  4. Click the Configuration Profile drop-down menu, and then select the profile you want to assign.

    Details of an asset

To assign an agent profile from the Configure Asset dialog box

  1. Go to Environment > Assets.
  2. locate the asset, click the icon next to the name of the asset you want to assign the specific agent configuration profile, and then select Configure Asset.
  3. Important: The Agent Profile field displays if the agent is connected and the user has the role of Manager.

  4. Choose the agent profile you want to assign to the selected asset.

    Configure Assets dialog box

  5. USM Anywhere displays an informative message if assets exist but do not have agents deployed.

  6. Click Save.

Assign LevelBlue Agent Configuration Profiles to Asset Groups

To assign a LevelBlue Agent configuration profile to an asset group

  1. Go to Environment > Asset Groups.
  2. Next to the asset group that you want to assign the profile, click the icon , and then select Full Details.
  3. Select Actions > Assign Agent Profile.
  4. Choose the agent profile you want to assign to the selected asset group.

    Configure Asset Group Members popup window

  5. Click Save.