AlienVault Agent Configuration Profiles

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes out-of-the-box AlienVault Agent configuration profiles to manage the queries that it runs for an asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. associated with a deployed agent. For each configuration profile, you can view the list of queries, a description of the collected logs, and the query frequency. Depending on your needs, you can change the default configuration profile so that you collect the log data and generate the events Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall. for the newly deployed agents.

USM Anywhere provides two configuration profiles for each of the agent deployment types: optimized and full. There are both preferable and less-than-preferable data security and data consumption reasons for choosing either configuration profile. Use the following information to help you determine which configuration profile works best for your setup.

  • Full: The full (verbose) profile collects and stores all Linux log events, including syslog events, new process events, and outbound socket events.

    Using this profile could have a significant impact on your data consumption. See Subscription Management for more information about how USM Anywhere manages data consumption and storage.

  • Optimized: The optimized profile reduces data consumption by modifying the Windows Events query to retrieve only the event types that impact threat detection.

    • Collects Sysmon Windows Event Log and correlates for threat detection purposes, but stores them only when they are associated with an alarm.

    For a list of the log collection paths monitored by this profile, go to Data Sources > Agents > Configuration Profiles and click the Optimized profile for Windows, and then click the Log Collection tab to display the full list of paths.

    • Note: The optimized configuration profile monitors files in a specific set of locations. Because the locations of the monitored files are limited, the optimized profile cannot guarantee that the AlienVault Agent is tracking all user interaction with secured files. This means that the optimized agent profile on its own doesn’t satisfy PCI DSS Requirement 10.

  • Full: The full (verbose) profile collects and stores most Windows event types, ignoring a few events that provide little value as determined by the AT&T Alien Labs™ team.

    For a list of the log collection paths monitored by this profile, go to Data Sources > Agents > Configuration Profiles and click the Full profile for Windows, then click the Log Collection tab to display the full list of paths.

    Using this profile could have a significant impact on your data consumption. See Subscription Management for more information about how USM Anywhere manages data consumption and storage.

  • Optimized: The optimized profile reduces data consumption by filtering certain events that are not correlated with alarms.

    • Note: The optimized configuration profile monitors files in a specific set of locations. Because the locations of the monitored files are limited, the optimized profile cannot guarantee that the AlienVault Agent is tracking all user interaction with secured files. This means that the optimized agent profile on its own doesn’t satisfy PCI DSS Requirement 10.

  • Full: The profile collects and stores all macOS events.

    Using this profile could have a significant impact on your data consumption. See Subscription Management for more information about how USM Anywhere manages data consumption and storage.

In the Configuration Profiles view, you can click the individual profile name to display the queries executed by the agent and their frequencies. If you are looking for a specific type of log, enter text in the search field and click the search icon () to filter the query list. If you want to see the specific file paths included in the profile's file integrity monitoring (FIM), click the File Integrity tab to display these paths by category.

Note: Currently, the Windows FIM paths are as follows:

C:\Windows\System32\drivers\etc\hosts

C:\autoexec.bat

C:\config.sys

C:\boot.ini

More Windows FIM paths will be added in future updates.

To display the agent configuration profiles

  1. Go to Data Sources > Agents.
  2. Click Configuration Profiles.

  3. Review and select the configuration profile you want to use by default.

    Important: The Experimental Profiles are temporary and internal. Do not use them unless you have instructions from the AlienVault Technical Support department.

Assign AlienVault Agent Configuration Profiles to Assets

You can assign a specific AlienVault Agent configuration profile to an asset, and you can do it from the assets list page or asset details page.

To assign an agent profile using the actions list

  1. Go to Environment > Assets.
  2. Select the asset and click Actions > Assign Agent Profile.

  3. Choose the agent profile you want to assign to the selected asset.

    Configure Assets dialog box

    4. USM Anywhere displays an informative message if assets exist but do not have agents deployed.

  4. Click Save.

To assign an agent profile from the asset details page

  1. Go to Environment > Assets.
  2. Locate the asset and click the icon next to name of the asset you want to assign the specific agent configuration profile, and then select Full Details.
  3. Click Agent.

  4. Click the Configuration Profile combo and select the profile you want to assign.

    Details of an asset

To assign an agent profile from the Configure Asset dialog box

  1. Go to Environment > Assets.
  2. locate the asset, click the icon next to the name of the asset you want to assign the specific agent configuration profile, and select Configure Asset.

    3. Important: The Agent Profile field displays if the agent is connected and if the user has the role Manager.

  3. Choose the agent profile you want to assign to the selected asset.

    Configure Assets dialog box

    4. USM Anywhere displays an informative message if assets exist but do not have agents deployed.

  4. Click Save.

Assign AlienVault Agent Configuration Profiles to Asset Groups

To assign an AlienVault Agent configuration profile to an asset group

  1. Go to Environment > Asset Groups.
  2. Next to the asset group that you want to assign the profile, click the icon and select Full Details.
  3. Select Actions > Assign Agent Profile.

  4. Choose the agent profile you want to assign to the selected asset group.

    Configure Asset Group Members popup window

  5. Click Save.