AlienVault® USM Anywhere™

AlienVault Agent Installation on Windows Hosts

Role Availability Read-Only Analyst Manager

To install the AlienVault Agent, you must run a script that you access from your USM Anywhere environment. When you run the installation script on the Windows host system, the script downloads an .msi file directly from USM Anywhere and the agent automatically registers with your USM Anywhere environment. The installation process also configures a default set of folders, files, and registries to automatically support File Integrity Monitoring.

You can generate a script that is specific to a selected assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. and your USM Anywhere environment, or generate a bulk deployment script that you can use the install the agent on multiple Windows host systems.

Note: When you first deploy new AlienVault Agents on your host systems, you should install just a few so that you can assess the events that are collected by the agent and the impact to your data consumption.

While there is no hard limit on the number of agents you can deploy, larger numbers of agents can eventually begin to impact the performance of USM Anywhere by transmitting more data than your pipeline can accommodate, causing latency in receiving and processing information.

Note: AlienVault Agents do not currently support the use of a proxy server.

Prerequisites

Before you install the AlienVault Agent on a Windows host system, make sure that you have the following requirements in place for that system.

  • A 64-bit Windows host system running Windows 8.1 or later (client version) or Windows Server 2008 R2 or later (server version).

  • TLS 1.2 must be enabled on the host system.
  • PowerShell 3 or higher is installed on the host system.
  • You have login credentials for the host system with full administrator rights.
  • Firewall configuration to support resource downloads executed by the Agent installation script and ongoing event log transmission to USM Anywhere.

    • Your firewall is configured to allow temporary downloads to the host system using the HTTPS application protocol over port 443 to support resource downloads executed by the Agent installation script.

      download.sysinternals.com/files/Sysmon.zip

      www.alienvault.com/documentation/resources/downloads/sysmon_config_schema4_0.xml

      s3-us-west-2.amazonaws.com/prod-otxb-portal-osquery/repo/windows/alienvault-agent-1.0.msi

    • Your firewall is configured to allow ongoing outbound connectivity from the host system using the HTTPS application protocol over port 443 to these USM Anywhere endpoints:

      prod-api.agent.alienvault.cloud

      api.agent.alienvault.cloud

      <AWS region>-agent-entrypoint.alienvault.cloud

    • Important: For endpoints that rely on the AWS region, the endpoint to use will depend on the AWS region where your USM Anywhere instance is deployed. If you are unsure, consult your administrator who set up your USM Anywhere domain.

      Region Endpoint
      Asia Pacific (Tokyo)

      ap-northeast-1-agent-entrypoint.alienvault.cloud

      Asia Pacific (Mumbai)

      ap-south-1-agent-entrypoint.alienvault.cloud

      Asia Pacific (Sydney)

      ap-southeast-2-agent-entrypoint.alienvault.cloud

      Canada (Central)

      ca-central-1-agent-entrypoint.alienvault.cloud

      EU (Frankfurt)

      eu-central-1-agent-entrypoint.alienvault.cloud

      EU (Ireland)

      eu-west-1-agent-entrypoint.alienvault.cloud

      EU (London)

      eu-west-2-agent-entrypoint.alienvault.cloud

      South America (São Paulo)

      sa-east-1-agent-entrypoint.alienvault.cloud

      US East (N. Virginia)

      us-east-1-agent-entrypoint.alienvault.cloud

      US West (Oregon)

      us-west-2-agent-entrypoint.alienvault.cloud

Agent Installation on a Single Host System

For a Windows host system that is already identified as an asset in your USM Anywhere environment, you can install the agent using a generated PowerShell script to run on that Windows host system. You can generate this script for the specific asset from the Agents page or from the Asset Details page for the asset.

Note: If a single host system is not in your Asset inventory through discovery by a deployed USM Anywhere Sensor, you can manually add the asset using its IP address or FQDN. For more information, see Adding Assets.

Alternatively, you can use a script for multiple assets and then use the information provided by the unassociated agent to create a new asset.

Important: Some antivirus software may block the osqueryd service and prevent it from starting. If your service is not starting because of antivirus software, you need to add the \Program Files\osquery\osqueryd\ path to your antivirus exclusions policy.

Agent Installation on Multiple Host Systems

If you have multiple Windows host systems that are not currently in your USM Anywhere asset inventory or you don't want to generate a separate script for each asset, you can install the agent using a generated PowerShell script on any Windows host system that meets the prerequisite requirements. You can generate this script from the Agents page.

Note: If you use a multiple asset installation script to execute bulk deployment across multiple host systems, the script does not have the unique asset ID. In this case, USM Anywhere attempts to associate the agent with an existing asset if there is enough information and it can make a definitive match. After a successful deployment of the agent on a host, it sends only heartbeat events until it is has an asset association. These heartbeat events include basic information about the host system, including network interfaces and IP address, as well as the asset UID.

When a deployed agent does not have an associated asset, you must make this association in USM Anywhere in order to enable queries and log collection for the host system. For more information, see Agent and Asset Associations.

To generate an agent deployment script for multiple host systems

  1. In USM Anywhere, go to Data Sources > Agents.
  2. Click Windows Deployment Script.

    In the dialog box, the Multiple Assets tab is selected by default.

  3. Click Copy to clipboard.

    Click Copy to clipboard to copy the generated PowerShell script

  4. Run the script on each Windows host system where you want to deploy the agent.

    • Use a remote access client to connect and log in to the Windows host system.
    • Use the Run as Administrator option to open the PowerShell window.
    • Run the copied script.

Additional Agent Commands

The Agent also comes with a PowerShell script to control other features of the agent, such as starting, stopping, restarting, updating, and uninstalling the Agent. For more information of the Agent command script, including the file location and a list of the commands, see the The Agent Command Script documentation page.