LevelBlue Agent Deployment

To install the LevelBlue Agent on your hosts, generate an installation script in USM Anywhere that is specific to your USM Anywhere environment. When you run the installation script on the host system, the installed agent automatically registers with your USM Anywhere instance and configures the system to automatically collect data from the endpoint for threat detection. LevelBlue recommends that the host system has a minimum of 4 GB memory and 2 CPU cores for the agent. See Microsoft Windows, Linux, or Apple macOS installation for operating system (OS)-specific requirements.

The LevelBlue Agent uses osquery. Other endpoint security products may use osquery for similar tasks, perhaps with different paths or file locations. In theory, osquery running under a different process or service name should present no issues, but LevelBlue doesn't support installing a second agent that uses osquery. Additionally, it may be necessary to allowlist the service or process that the LevelBlue Agent uses in other endpoint security products so that the LevelBlue Agent can operate normally. The following table lists the osquery service and process used by the LevelBlue Agent and the LevelBlue Agent script.

osquery Service and Process Used by the LevelBlue Agent
USM Anywhere Component Platform osquery Service osquery Process
LevelBlue Agent Linux osqueryd osqueryd
  macOS osqueryd osqueryd
  Windows osqueryd osqueryd.exe
LevelBlue Agent Script Linux N/A osqueryi
  macOS N/A osqueryi
  Windows N/A osqueryi.exe

Agent Deployment Details

The Agents page (Data Sources > Agents) provides an overview of your deployed LevelBlue Agents.

Click the displayed numbers to view the agents in the Assets page (Environment > Assets). If there are unassociated agents, this page displays an alert to help you resolve them. See LevelBlue Agent and Asset Associations for more information.

Access the Agents page to review high-level information about deployed LevelBlue Agents