AlienVault® USM Anywhere™

Agent and Asset Associations

Role Availability Read-Only Analyst Manager

If you use a single assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. installation script, the USM Anywhere asset unique identifier (UID) for the selected asset is incorporated into that script. During the installation process, the deployed AlienVault Agent registers with your USM Anywhere instance, makes the asset association, and updates the operating system (OS) name and network interface information on the asset.

However, if you use a multiple asset installation script to execute bulk deployment across multiple host systems, the script does not contain any UID. In this case, USM Anywhere attempts to associate the agent with an existing asset. The agent then attempts to make a definitive match by using either the Microsoft Azure virtual machine (VM) UIDs or Amazon Web Services (AWS) instance IDs; otherwise, it will attempt to pair based on other asset data fields including media access control (MAC) address, IP address, and hostname. Before installing the agent, AT&T Cybersecurity recommends that you perform a Running Asset Scans. This way, USM Anywhere will have identified the asset and, therefore, can automatically associate the asset with the agent, rather than having the agent create the association independently.

After a successful deployment of the agent on a host, it sends only heartbeat events until it is has an asset association. These heartbeat events include basic information about the host system, including network interfaces and IP address, as well as the asset UID.

The heartbeat events are important for monitoring Agent connectivity, therefore it is important that you do not create any filtering rules to remove these notifications. If you don't want to see heartbeat events, AT&T Cybersecurity recommends that you create a suppression rule instead.

When a deployed agent does not have an associated asset, you must make this association in USM Anywhere to enable queries and log collection for the host system. The Agents page displays an alert when there are one or more unassociated assets, and provides tools designed to help you associate these agents with assets. It provides a list of suggested assets for selection and an easy way to create a new asset using the information provided by the agent.

The Agents page displays an alert for unassociated agents

When you see this alert, click Associate agents with assets to open the Associate Agents With Assets page and complete the association.

Review the list of unassociated agents

Associate or Unassociate the Agent with an Existing Asset

If you believe that the asset for the host system exists in the USM Anywhere asset inventory or you are unsure, you can allow USM Anywhere to suggest one or more matching assets. If the suggested asset does not display a correct item, you can find the asset yourself and select it for the association.

Note: There is currently no way to remove the association between an agent and an asset. If you need to change an association, you must uninstall the agent on the host system, redeploy the agent, and then make the new association as needed.

To make an association to an existing asset

  1. In the row for the unassociated agent, click Associate Agent with Asset.

    The dialog box displays a list of one or more suggested asset matches if USM Anywhere is able to locate potential matches in the asset library.

  2. Select an asset for the agent.

    • If one of the suggested assets is correct, select the asset.
    • If the correct asset is not displayed or there are no suggested assets, enter part of the name or IP address of the asset in the Search field to display matching items and select the asset you want.

      Select an asset for the agent

      Or you can click the Browse Assets link to open the Select Asset dialog box and browse the asset list to make your selection.

      If you are unable to locate the correct asset and determine that is does not currently exist in the asset inventory, you can click the create a new asset link to generate a new asset for the agent.

  3. Click Save.

    A confirmation dialog box opens.

  4. If you want to display the Asset Details page for the associated asset, click View Asset.

    Otherwise, click Cancel to close the dialog box and return to the Associate Agents with Assets page.

To remove the link between an asset and an Agent

  1. Go to Data Sources > Agents.

    Main Agents page with the message for removing the link between an asset and an agent

  2. Click Unassociate assets.
  3. The link between the asset and the Agent is removed.

    When an asset is deleted, all of its associated agents automatically become unassociated.

Create New Assets for the Association

If the asset does not yet exist in the USM Anywhere asset inventory, you can automatically create an asset for one or more selected agents. When USM Anywhere creates a new asset for the agent, it uses the hostname value for the asset name. After creation, you can modify various asset details as needed. For more information, see Editing Assets.

To create new assets for unassigned agents

  1. For each of the listed agents where an asset does not already exist in the asset inventory, select the checkbox for that row.

    If you want to create new assets for all of the listed agents, you can select the checkbox at the top.

  2. At the top-right of the page, click the Create New Assets button.

    Create new assets for the selected agents

    A confirmation dialog box opens.

  3. Close the dialog box to return to the Associate Agents with Assets page.