AlienVault® USM Anywhere™

AlienVault Agent Configuration Profiles

Role Availability Read-Only Analyst Manager

USM Anywhere includes out-of-the-box AlienVault Agent configuration profiles to manage the queries that it runs for an assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. associated with a deployed agent. For each configuration profile, you can view the list of queries, a description of the collected logs, and the query frequency. Depending on your needs, you can change the default configuration profile so that you collect the log data and generate the eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. for the newly deployed agents.

USM Anywhere provides two configuration profiles for each of the agent deployment types: optimized and full. There are both preferable and less-than-preferable data security and data consumption reasons for choosing either configuration profile. Use the following information to help you determine which configuration profile works best for your setup.

In the Configuration Profiles view you can click the individual profile name to display detailed information about the queries and the collected log information included for a profile. If you are looking for a specific type of log information, enter text in the search field and click the search icon () to filter the query list. If you want to see the specific file paths included in the profile's file integrity monitoring (FIM), click the File Integrity tab to display these paths by category.

Note: Currently, the Windows FIM paths are as follows:

C:\Windows\System32\drivers\etc\hosts

C:\autoexec.bat

C:\config.sys

C:\boot.ini

More Windows FIM paths will be added in future updates.

To display the agent configuration profiles

  1. Go to Data Sources > Agents.
  2. Click Configuration Profiles.
  3. Review and select the configuration profile you want to use by default.

    Important: The Experimental Profiles are temporary and internal. Do not use them unless you have instructions from the AlienVault Technical Support department.

Assign AlienVault Agent Configuration Profiles to Assets

To assign a specific AlienVault Agent configuration profile to an asset from the Assets list view

  1. Go to Environment > Assets.
  2. Search the asset and select Actions > Assign Agent Profile.
  3. Choose the agent profile you want to assign to the selected asset.

    Configure Assets popup window

  4. USM Anywhere displays an informative message if assets exist that do not have agents deployed.

  5. Click Save.

To assign a specific agent configuration profile to an asset from the details of an asset

  1. Go to Environment > Assets.
  2. Search the asset and click the icon located next to the asset name you want to assign to the specific agent configuration profile, select Full Details.
  3. Click Agent.
  4. Click the Configuration Profile combo and select the profile you want to assign.

    Details of an asset

Assign AlienVault Agent Configuration Profiles to Asset Groups

To assign an AlienVault Agent configuration profile to an asset group

  1. Go to Environment > Asset Groups.
  2. Next to the asset group that you want to assign the profile, click the icon and select Full Details.
  3. Select Actions > Assign Agent Profile.
  4. Choose the agent profile you want to assign to the selected asset group.

    Configure Asset Group Members popup window

  5. Click Save.