AlienVault® USM Anywhere™

The AlienVault Agent

The AlienVault Agent is a lightweight endpoint agent based on osquery, the leading open-source operating system instrumentation framework for Windows, macOS, and Linux. It enables endpoint detection and response (EDR), file integrity monitoring (FIM), and rich endpoint telemetry capabilities that are essential for complete and effective threat detection, response, and compliance.

This agent is easy to install on your host and endpoints, and has a small footprint. An installed Agent provides continuous endpoint security monitoring, allowing USM Anywhere to quickly detect threats on your essential assets without the time-consuming manual configuration and setup tasks required to implement and integrate a third-party tool.

The installed AlienVault Agent communicates over an encryptedCryptographic transformation of data into a form that conceals the data's original meaning to prevent it from being known or used. channel to send data directly to the USM Anywhere service, bypassing the USM Anywhere Sensor, and buffers data locally when the connection to USM Anywhere is unavailable. When a new agent is registered with your USM Anywhere service, the system checks the AlienVault Agent version. Subsequent updates after the initial install are performed manually through The Agent Command Script. To find out more about the most recent Agent versions, see the AlienVault Agent updates on the Product Announcements page.

Agent Deployment

To install the AlienVault Agent on your Windows, Linux, or AlienVault Agent Installation on macOS Hosts endpoints, you generate an installation script in USM Anywhere that is specific to your USM Anywhere environment. When you run the installation script on the host system, the installed agent automatically registers with your USM Anywhere instance and configures the system to automatically collect data from the endpoint for threat detection. AlienVault recommends the host system has a minimum of 4GB memory and two CPU cores for the Agent.

Note: When you first deploy new AlienVault Agents on your host systems, you should install just a few so that you can assess the events that are collected by the agent and the impact to your data consumption.

While there is no hard limit on the number of agents you can deploy, larger numbers of agents can eventually begin to impact the performance of USM Anywhere by transmitting more data than your pipeline can accommodate, causing latency in receiving and processing information.

Note: AlienVault Agents do not currently support the use of a proxy server.

The Agents page (Data Sources > Agents) provides an overview of your deployed AlienVault Agents.

Access the Agents page to review high-level information about deployed AlienVault Agents

Click the displayed numbers to view a list of the items in the Assets page. If there are unassociated agents, this page displays an alert to help you resolve them. For more information, see Agent and Asset Associations.

Agent Data Collection

Each AlienVault Agent must be associated with an assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. in USM Anywhere to enable log collection, which should match the host system where it is deployed. When this association is in place, detailed information is available in the Asset Details. On this page, you can view the number of eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. associated with the agent, as well as data consumption by the agent over a fixed period of time. For more information, see Viewing Assets Details.

When the Agent is registered and associated with an asset, the Agent configuration profile determines the queries and intervals that USM Anywhere uses to collect logs from the host system.

The AlienVault Agent dashboard displays status information for all agents registered with your USM Anywhere environment, including an indication that an agent is currently sending data. For more information, see AlienVault Agent Dashboard .