To install the LevelBlue Agent on Microsoft Windows, you must run a script that you access from your USM Anywhere environment. When you run the installation script on the Windows host system, the script downloads an .msi file directly from USM Anywhere, and the agent automatically registers with your USM Anywhere environment. The installation process also configures a default set of folders, files, and registries to automatically support file integrity monitoring (FIM). You can generate a script that is specific to a selected in your USM Anywhere environment or generate a bulk deployment script that you can use to install the agent on multiple Windows host systems.
Note: When you first deploy LevelBlue Agents on your host systems, you should install just a few to evaluate the events collected by the agent and the impact to your data consumption.While there is no hard limit on the number of agents you can deploy, larger numbers of agents can eventually begin to impact the performance of USM Anywhere by transmitting more data than your pipeline can accommodate, causing latency in receiving and processing information.Similarly, if your host system is consistently busy, such as a domain controller or an active directory (AD) server, deploying an agent on it may slow down its operations.
Note: LevelBlue Agents do not currently support the use of a proxy server.

Prerequisites

Before installing the LevelBlue Agent on a Windows host system, ensure that you have the following requirements in place for that system:
  • A 64-bit Windows host running Windows 10 or later (client version) or Windows Server 2016 or later (server version).
    Note: While it’s possible to run the LevelBlue Agent on an ARM 64-bit architecture, you may see decreases in your product performance. LevelBlue does not recommend this application of the agent.
  • Transport Layer Security (TLS) 1.2 must be enabled on the host system.
  • PowerShell 3 or higher is installed on the host system.
  • You have login credentials for the host system with full admin rights.
Note: LevelBlue recommends that your host system has a minimum of 4 GB memory and 2 CPU cores.
You must configure your firewall to allow temporary downloads to the host system using the HTTPS application protocol over port 443:
  • download.sysinternals.com/files/Sysmon.zip
You must configure your firewall to support ongoing event transmission to USM Anywhere. Standard Firewall Setup Your firewall needs to be configured to allow ongoing outbound connectivity from the host system using the HTTPS application protocol over port 443 to these USM Anywhere endpoints:
  • <AWS region>-agent-entrypoint.alienvault.cloud (for example, eu-west-1-agent-entrypoint.alienvault.cloud) See the LevelBlue Agent Endpoints by AWS Regions table for region-specific IP ranges.
  • agent-packageserver.alienvault.cloud
  • api.agent.alienvault.cloud
  • prod-api.agent.alienvault.cloud
  • agent-packageserver.alienvault.cloud/repo/windows/sysmon_config_schema4_0.xml
  • agent-packageserver.alienvault.cloud/repo/windows/alienvault-agent-<version>.msi
Important: The endpoints listed above are inside the 3.235.189.112/28 range.
GovCloud Setup LevelBlue Threat Detection and Response for Government (LevelBlue TDR for Gov) customers need to configure ongoing outbound connectivity from the host system using the HTTPS application protocol over port 443 to these USM Anywhere endpoints:
  • api.agent.gov.alienvault.us
  • prod-api.agent.gov.alienvault.us
  • agent-packageserver.gov.alienvault.us/repo/windows/sysmon_config_schema4_0.xml
  • agent-packageserver.gov.alienvault.us/repo/windows/alienvault-agent-<version>.msi
  • us-gov-west-1-agent-entrypoint.gov.alienvault.us
Important: These endpoints are inside the 3.32.190.224/28 range.
For endpoints that rely on the Amazon Web Services (AWS) region, the endpoint to use depends on the AWS region where your USM Anywhere instance is deployed. See the following table for details. If you are unsure, consult the administrator who set up your USM Anywhere or LevelBlue TDR for Gov domain.
Note: LevelBlue owns the IP ranges listed in the following table. The IP ranges route agent traffic, and connectivity can move within the ranges according to the region.
LevelBlue Agent Endpoints by AWS Regions
RegionEndpointReserved Static IP Address Ranges
Asia Pacific (Tokyo)ap-northeast-1-agent-entrypoint.alienvault.cloud18.177.156.144/28
Asia Pacific (Mumbai)ap-south-1-agent-entrypoint.alienvault.cloud3.7.161.32/28
Asia Pacific (Sydney)ap-southeast-2-agent-entrypoint.alienvault.cloud3.25.47.48/28
Canada (Central)ca-central-1-agent-entrypoint.alienvault.cloud3.96.2.80/28
EU (Frankfurt)eu-central-1-agent-entrypoint.alienvault.cloud18.156.18.32/28
EU (Ireland)eu-west-1-agent-entrypoint.alienvault.cloud3.250.207.0/28
EU (London)eu-west-2-agent-entrypoint.alienvault.cloud18.130.91.160/28
South America (São Paulo)sa-east-1-agent-entrypoint.alienvault.cloud18.230.160.128/28
US East (N. Virginia)us-east-1-agent-entrypoint.alienvault.cloud3.235.189.112/28
US West (Oregon)us-west-2-agent-entrypoint.alienvault.cloud44.234.73.192/28
AWS GovCloud (US-West)us-gov-west-1-agent-entrypoint.gov.alienvault.us3.32.190.224/28

LevelBlue Agent Installation on a Single Host System

For a Windows host system that is already identified as an asset in your USM Anywhere environment, you can install the agent using a generated PowerShell script to run on that Windows host system. You can generate this script for the specific asset from the Agents page (Data Sources > Agents) or from the Asset Details page for the asset.
Note: If the host system is not in your asset inventory through discovery by a deployed USM Anywhere Sensor, you can manually add the asset using its IP address or fully qualified domain name (FQDN). See Adding Assets for more information.Alternatively, you can use the script for multiple assets and then use the information provided by the unassociated agent to create a new asset.
Important: Some antivirus software may block the osqueryd service and prevent it from starting. If your service is not starting because of antivirus software, you need to add the \Program Files\osquery\osqueryd\ path to your antivirus exclusions policy.

LevelBlue Agent Installation on Multiple Host Systems

If you have multiple Windows host systems that are not currently in your USM Anywhere asset inventory or you don’t want to generate a separate script for each asset, you can install the LevelBlue Agent using a generated PowerShell script on any Windows host system that meets the prerequisite requirements. You can generate this script from the Agents page (Data Sources > Agents). To generate an agent deployment script for multiple host systems
  1. In USM Anywhere, go to Data Sources > Agents.
  2. Click Windows Deployment Script. Ensure that the Multiple Assets tab is selected in the dialog box.
  3. Click Copy to clipboard.
  4. Run the script on each Windows host system where you want to deploy the agent: = Use a remote access client to connect and log in to the Windows host system.
    • Use the Run as Administrator option to open the PowerShell window.
    • Run the copied script.
Note: If you use a multiple asset installation script to execute bulk deployment across multiple host systems, the script will not have the unique asset ID. In this case, USM Anywhere attempts to associate the LevelBlue Agent with an existing asset if there is enough information and it can make a definitive match. When a deployed agent does not have an associated asset, you must manually make this association in USM Anywhere to enable queries and log collection for the host system. See LevelBlue Agent and Asset Associations for more information.

Installation Error Resolution

If the LevelBlue Agent is installed using the single asset deployment script, its host identifier UUID and asset association is stored in the osquery.flags file in your system. Asset changes, specifically changes that result in an asset being removed and added back to USM Anywhere, can cause issues with the way the agent associates with the asset if you need to reinstall the agent for any reason. If you encounter an error during the installation of an agent, you need to remove the osquery directory before you reinstall the agent. To do this, delete the C:\Program Files\osquery folder.

Additional LevelBlue Agent Commands

The LevelBlue Agent also comes with a PowerShell script to control other features of the agent, such as starting, stopping, restarting, updating, and uninstalling the agent. See The LevelBlue Agent Script and Agent Updates for more information on the agent command script, including the file location and a list of the commands.