Documentation Center
AlienVault® USM Anywhere™

The AlienVault Agent

The AlienVault Agent is a lightweight endpoint agent based on osquery, the leading open-source operating system instrumentation framework for Windows and Linux. It enables endpoint detection and response (EDR), file integrity monitoring (FIM), and rich endpoint telemetry capabilities that are essential for complete and effective threat detection, response, and compliance.

This agent is simple and fast to install on Windows and Linux hosts and endpoints and has a small footprint. An installed Agent provides continuous endpoint security monitoring, allowing USM Anywhere to quickly detect threats on your essential assets without the time-consuming manual configuration and setup tasks required to implement and integrate a third-party tool.

The installed AlienVault Agent communicates over an encryptedCryptographic transformation of data into a form that conceals the data's original meaning to prevent it from being known or used. channel to send data directly to USM Anywhere and buffers data locally when the connection to USM Anywhere is unavailable. When a new Agent registers with your USM Anywhere environment, it checks for the latest AlienVault Agent version. From that point, USM Anywhere checks the agent daily to make sure it is running the latest version.

Important: At this time, AlienVault Agent support is limited to host systems running a 64-bit OS. Dependent libraries for 32-bit to support the AlienVault Agent are not currently available.

Agent Deployment

To install the AlienVault Agent on your Windows and Linux endpoints, you generate an installation script in USM Anywhere that is specific to your USM Anywhere environment. When you run the installation script on the host system, the installed agent automatically registers with your USM Anywhere instance and configures the system to automatically collect data from the endpoint for threat detection.

Note: When you first deploy new AlienVault Agents on your host systems, you should install just a few so that you can assess the events that are collected by the agent and the impact to your data consumption.

The Agents page (DATA SOURCES > AGENTS) provides an overview of your deployed AlienVault Agents.

Access the Agents page to review high-level information about deployed AlienVault Agents

Click the displayed numbers to view a list of the items in the Assets page. If there are unassociated agents, this page displays an alert to help you resolve them. For more information, see Agent and Asset Associations.

Agent Data Collection

Each AlienVault Agent must be associated with an assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. in USM Anywhere to enable log collection, which should match the host system where it is deployed. When this association is in place, detailed information is available in the Asset Details. On this page, you can view the number of eventsAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall. associated with the agent, as well as data consumption by the agent over a fixed period of time. For more information, see Viewing Assets Details.

When the Agent is registered and associated with an asset, the Agent configuration profile determines the queries and intervals that USM Anywhere uses to collect logs from the host system.

The AlienVault Agent dashboard displays status information for all agents registered with your USM Anywhere environment, including an indication that an agent is currently sending data. For more information, see USM Anywhere Dashboards.