AlienVault® USM Anywhere™

Agent and Asset Associations

Role Availability Read-Only Analyst Manager

If you use a single assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. installation script, the USM Anywhere asset Unique Identifier (UID) for the selected asset is incorporated into that script. During the installation process, the deployed AlienVault Agent registers with your USM Anywhere instance and makes the asset association.

However, if you use a multiple asset installation script to execute bulk deployment across multiple host systems, the script does not have the UID. In this case, USM Anywhere attempts to associate the agent with an existing asset if there is enough information and it can make a definitive match. After a successful deployment of the agent on a host, it sends only heartbeat events until it is has an asset association. These heartbeat events include basic information about the host system, including network interfaces and IP address, as well as the asset UID.

The heartbeat events are important for monitoring Agent connectivity, therefore it is important that you do not create any filtering rules to remove these notifications. If you don't want to see heartbeat events, it is recommended that you create a suppression rule instead.

When a deployed agent does not have an associated asset, you must make this association in USM Anywhere to enable queries and log collection for the host system. The Agents page displays an alert when there are one or more unassociated assets and provides tools designed to help you associate these agents with assets. It provides a list of suggested assets for selection and an easy way to create a new asset using the information provided by the agent.

The Agents page displays an alert for unassociated agents

When you see this alert, click Associate agents with assets to open the Associate Agents With Assets page and complete the association.

Review the list of unassociated agents

Associate the Agent with an Existing Asset

If you believe that the asset for the host system exists in the USM Anywhere asset inventory or you are unsure, you can allow USM Anywhere to suggest one or more matching assets. If the suggested asset does not display a correct item, you can find the asset yourself and select it for the association.

Note: There is currently no way to remove the association between an agent and an asset. If you need to change an association, you must uninstall the agent on the host system, redeploy the agent, and then make the new association as needed.

To make an association to an existing asset

  1. In the row for the unassociated agent, click Associate Agent with Asset.

    The dialog box displays a list of one or more suggested asset matches, if USM Anywhere is able to locate potential matches in the asset library.

  2. Select an asset for the agent.

    • If one of the suggested assets is correct, select the asset.
    • If the correct asset is not displayed or there are no suggested assets, enter part of the name or IP address of the asset in the Search box to display matching items and select the asset you want.

      Select an asset for the agent

      Or you can click the Browse Assets link to open the Select Asset dialog box and browse the asset list to make your selection.

    Note: If you are unable to locate the correct asset and determine that is does not currently exist in the asset inventory, you can click the create a new asset link to generate a new asset for the agent.

  3. Click Save.

    A confirmation dialog box opens.

  4. If you want to display the Asset Details page for the associated asset, click View Asset.

    Otherwise, click Cancel to close the dialog box and return to the Associate Agents with Assets page.

Create New Assets for the Association

If the asset does not yet exist in the USM Anywhere asset inventory, you can automatically create an asset for one or more selected agents. When USM Anywhere creates a new asset for the agent, it uses the Hostname value for the asset name. After creation, you can modify various asset details as needed. For more information, see Editing Assets.

To create new assets for unassigned agents

  1. For each of the listed agents where an asset does not already exist in the asset inventory, select the checkbox for that row.

    If you want to create new assets for all of the listed agents, you can select the checkbox at the top.

  2. At the top-right of the page, click the Create New Assets button.

    Create new assets for the selected agents

    A confirmation dialog box opens.

  3. Close the dialog box to return to the Associate Agents with Assets page.

Installation Error Resolution

Once an agent is installed, the Asset UID associations are stored in the osquery.flags file in your system. Asset changes, specifically changes that result in an asset being removed and added back to USM Anywhere, can cause issues with the way an agent associates with those assets in the future if you need to reinstall the agent for any reason.

If you encounter an error during installation of an agent, you need to remove the osquery directory before you reinstall the agent. The method to delete the directory depends on the operating system:

  • Windows: Delete the C:\Program Files\osquery folder.
  • macOS: Delete the /var/osquery folder.
  • Linux: Enter either apt-get purge alienvault-agent or yum remove alienvault-agent in the command line, and then reinstall the agent.