AlienVault® USM Anywhere™

AlienVault Agent Deployment

To install the AlienVault Agent on your hosts, you generate an installation script in USM Anywhere that is specific to your USM Anywhere environment. When you run the installation script on the host system, the installed agent automatically registers with your USM Anywhere instance and configures the system to automatically collect data from the endpoint for threat detection. AT&T Cybersecurity recommends that the host system has a minimum of 4 GB memory and 2 CPU cores for the agent. See Windows, Linux, or macOS installation for operating system-specific requirements.

Note: When you first deploy new AlienVault Agents on your host systems, you should install just a few so that you can assess the events that are collected by the agent and the impact to your data consumption.

While there is no hard limit on the number of agents you can deploy, larger numbers of agents can eventually begin to impact the performance of USM Anywhere by transmitting more data than your pipeline can accommodate, causing latency in receiving and processing information.

Similarly, if your host system is consistently busy, such as a domain controller or an Active Directory (AD) server, deploying an agent on it may slow down its operations.

Note: AlienVault Agents do not currently support the use of a proxy server.

Agent Deployment Details

The Agents page (Data Sources > Agents) provides an overview of your deployed AlienVault Agents.

Click the displayed numbers to view a list of the items in the Assets page. If there are unassociated agents, this page displays an alert to help you resolve them. See Agent and Asset Associations for more information.

Access the Agents page to review high-level information about deployed AlienVault Agents

Subsequent Agent Deployments Through an Image

You can automate the agent installation on other machines by creating an image with the agent group install script. Using the image of the group install script, you need to configuring a one-time scheduled task on the new machine to run the image the next time the machine boots. Any asset created from this image will have the agent installed with its own unique UUID.

Agent Data Collection

Each AlienVault Agent must be associated with an assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. in USM Anywhere to enable log collection, which should match the host system where it is deployed. When this association is in place, detailed information is available in the Asset Details page. On this page, you can view the number of eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. associated with the agent, as well as data consumption by the agent over a fixed period of time. See Viewing Assets Details for more information.

When the agent is registered and associated with an asset, the agent configuration profile determines the queries and intervals that USM Anywhere uses to collect logs from the host system.

The agent dashboard displays status information for all agents registered with your USM Anywhere environment, including an indication that an agent is currently sending data. See AlienVault Agent Dashboard for more information.