Adding BlueApps to an Asset

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere receives syslog An industry standard message logging system that is used on many devices and platforms. log data from external data sources: devices, applications, or operation systems. If that data is not automatically matched with an BlueApp through hints (see Data Sources: Auto Discovered or Not), you must manually associate the BlueApp with an asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. in USM Anywhere. There are two methods for creating these associations:

  • By assigning one or more assets to the BlueApp. See Assign Assets to BlueApps for details.
  • By adding one or more BlueApps to the asset (this document).

You can use a combination of these methods to ensure that USM Anywhere can identify the correct BlueApps for the log data it receives from an asset.

Important: Assigning an BlueApp to an asset disables the usage of hints for the logs coming from this asset; therefore, USM Anywhere only uses the assigned BlueApps to parse and normalize those logs.

If you use a log-forwarding software (such as Splunk or Loggly) to send logs to USM Anywhere, LevelBlue recommends that you use at least two such forwarders: one forwarder for all the auto-discoverable BlueApps, and the other for the non-auto-discoverable BlueApps. In the latter case, you must create an asset in USM Anywhere to denote the forwarder and assign it to the non-auto-discoverable BlueApps. This ensures that USM Anywhere uses the correct BlueApp to parse your logs.

Adding an BlueApp to an asset requires that you know what log data that the USM Anywhere Sensor receives from the asset and which BlueApp(s) are the best match for parsing and normalizing that data to produce meaningful events for your needs.

You can add an BlueApp on the Asset Details page. The Asset Details page provides access to all of the available information and tools for managing an individual asset. See Asset Management for more information about managing discovered assets in USM Anywhere.

To add an BlueApp from the Asset Details page

  1. Go to Environment > Assets.

  2. (Optional.) Use the Search & Filters option to filter the list and help you locate the asset you want.

    See Searching Assets for more information.

  3. Click the icon next to the asset name and then select Full Details.

    Open the full details for the Carbon Black asset

    This displays the Asset Details.

  4. At the bottom of the expanded page, select the BlueApps tab and click Add BlueApp.

    Click Add AlienApp to associate an AlienApp with the asset

  5. In the dialog box, select the BlueApp you want to assign to the asset. Enter full or part of the name in the Set a New BlueApp field and select one from the displayed list.

    Enter part of the name and select the correct AlienApp from the displayed list.

    The system displays this message at the top of the page:

    BlueApp added successfully.

  6. (Optional.) Repeat the previous step to add another BlueApp.

  7. Click the icon to close the dialog box.

    On the BlueApps tab, you can see the list of BlueApps added.

    View the associated AlienApps in the Asset Details page.

For logs where a matching BlueApp is not identified, USM Anywhere parses it using a generic data source. You can review the generated events in the LevelBlue Generic Data Source events view. If the reporting device for the event is defined in the USM Anywhere asset inventory, you can manually assign an BlueApp directly from this view.

See LevelBlue Generic Data Source for more information about the information and tools available in this view.

To assign an BlueApp from a LevelBlue Generic Data Source event

  1. Go to Activity > Events.
  2. Click View > Saved views > LevelBlue Generic Data Source.
  3. Click Apply.
  4. Review the listed events and locate an event where the reporting device is displayed in blue and you want to manually assign a known BlueApp to the asset.

  5. In the Reporting Device column, click the icon next to the asset name and select Assign BlueApp.

    Events Main Page, Menu on the Reporting Device Column

    The Add BlueApp to an asset dialog box opens.

    Events Main Page, Add AlienApps dialog box

  6. In the dialog box, select the BlueApp to use for log data from the asset.

    Enter part of the BlueApp name in the Set a New BlueApp field and select the BlueApp from the displayed list.

    Enter part of the plugin name and select the correct plugin from the displayed list.

  7. (Optional.) Repeat the previous step to add another BlueApp for the asset.
  8. Click the icon to close the dialog box.