Linux
Linux
-
Optimized: The optimized profile reduces data consumption by filtering certain events that are not correlated with alarms.
- Does not collect events.
- Collects new process events and for threat detection purposes, but stores them only when they are associated with an alarm.
- Collects outbound socket events and correlates for threat detection purposes, but stores them only when they are associated with an alarm.
Note: The optimized configuration profile monitors files in a specific set of locations. Because the locations of the monitored files are limited, the optimized profile cannot guarantee that the LevelBlue Agent is tracking all user interaction with secured files. This means that the optimized agent profile on its own doesn’t satisfy PCI DSS Requirement 10. - Full: The full (verbose) profile collects and stores all Linux log events, including syslog events, new process events, and outbound socket events. Using this profile could have a significant impact on your data consumption. See Subscription Management for more information about how USM Anywhere manages data consumption and storage.
Windows
Windows
-
Optimized: The optimized profile reduces data consumption by modifying the Windows Events query to retrieve only the event types that impact threat detection.
- Collects Sysmon Windows event logs and correlates for threat detection purposes, but stores them only when they are associated with an alarm.
Note: The optimized configuration profile monitors files in a specific set of locations. Because the locations of the monitored files are limited, the optimized profile cannot guarantee that the LevelBlue Agent is tracking all user interaction with secured files. This means that the optimized agent profile on its own doesn’t satisfy PCI DSS Requirement 10. - Full: The full (verbose) profile collects and stores most Windows event types, ignoring a few events that provide little value as determined by the LevelBlue Labs™ team. For a list of the log collection paths monitored by this profile, go to Data Sources > Agents > Configuration Profiles, and click the Full profile for Windows, and then click the Log Collection tab to display the full list of paths. Using this profile could have a significant impact on your data consumption. See Subscription Management for more information about how USM Anywhere manages data consumption and storage.
macOS
macOS
-
Optimized: The optimized profile reduces data consumption by filtering certain events that are not correlated with alarms.
Note: The optimized configuration profile monitors files in a specific set of locations. Because the locations of the monitored files are limited, the optimized profile cannot guarantee that the LevelBlue Agent is tracking all user interaction with secured files. This means that the optimized agent profile on its own doesn’t satisfy PCI DSS Requirement 10.
- Full: The profile collects and stores all macOS events. Using this profile could have a significant impact on your data consumption. See Subscription Management for more information about how USM Anywhere manages data consumption and storage.
icon to filter the query list.
Note: An agent event named “Outbound Connections” indicates that the agent found an open socket with an external IP address. LevelBlue recommends that you check the firewall logs to find matching events that can help clarify the communication process.
Note: Currently, the Windows FIM paths are as follows:
C:\Windows\System32\drivers\etc\hostsC:\autoexec.batC:\config.sysC:\boot.iniMore Windows FIM paths will be added in future updates.- Go to Data Sources > Agents.
- Click Configuration Profiles.
-
Review and select the configuration profile you want to use by default.
Important: The Experimental Profiles are temporary and internal. Do not use them unless you have instructions from the LevelBlue Technical Support department.
Assign LevelBlue Agent Configuration Profiles to Assets
You can assign a specific LevelBlue Agent configuration profile to an asset from the assets list page or asset details page. To assign an agent profile using the actions list- Go to Environment > Assets.
- Select the asset, and then click Actions > Assign Agent Profile.
-
Select the agent profile you want to assign to the selected asset.
USM Anywhere displays an informative message if assets exist but do not have agents deployed.
- Click Save.
- Go to Environment > Assets.
-
Locate the asset and click the
icon next to name of the asset you want to assign the specific agent configuration profile, and then select Full Details.
- Click Agent.
-
Click the Configuration Profile drop-down menu, and then select the profile you want to assign.
- Go to Environment > Assets.
-
Locate the asset, click the icon next to the name of the asset you want to assign the specific agent configuration profile, and then select Configure Asset.
Important: The Agent Profile field displays if the agent is connected and the user has the role of Manager.
-
Choose the agent profile you want to assign to the selected asset.
USM Anywhere displays an informative message if assets exist but do not have agents deployed.
- Click Save.
Assign LevelBlue Agent Configuration Profiles to Asset Groups
To assign a LevelBlue Agent configuration profile to an asset group- Go to Environment > Asset Groups.
-
Next to the asset group that you want to assign the profile, click the icon , and then select Full Details.
- Select Actions > Assign Agent Profile.
-
Choose the agent profile you want to assign to the selected asset group.
- Click Save.