Skip to main content
USM Anywhere includes out-of-the-box LevelBlue Agent configuration profiles to manage the queries that it runs for an associated with a deployed agent. For each configuration profile, you can view the list of queries, a description of the collected logs, and the query frequency. Depending on your needs, you can change the default configuration profile so that you collect the log data and generate the for the newly deployed agents. USM Anywhere provides two configuration profiles for each of the agent deployment types: optimized and full. There are both preferable and less-than-preferable data security and data consumption reasons for choosing either configuration profile. Use the following information to help you determine which configuration profile works best for your setup.
  • Optimized: The optimized profile reduces data consumption by filtering certain events that are not correlated with alarms.
    • Does not collect events.
    • Collects new process events and for threat detection purposes, but stores them only when they are associated with an alarm.
    • Collects outbound socket events and correlates for threat detection purposes, but stores them only when they are associated with an alarm.
    Note: The optimized configuration profile monitors files in a specific set of locations. Because the locations of the monitored files are limited, the optimized profile cannot guarantee that the LevelBlue Agent is tracking all user interaction with secured files. This means that the optimized agent profile on its own doesn’t satisfy PCI DSS Requirement 10.
  • Full: The full (verbose) profile collects and stores all Linux log events, including syslog events, new process events, and outbound socket events. Using this profile could have a significant impact on your data consumption. See Subscription Management for more information about how USM Anywhere manages data consumption and storage.
  • Optimized: The optimized profile reduces data consumption by modifying the Windows Events query to retrieve only the event types that impact threat detection.
    • Collects Sysmon Windows event logs and correlates for threat detection purposes, but stores them only when they are associated with an alarm.
    For a list of the log collection paths monitored by this profile, go to Data Sources > Agents > Configuration Profiles, and click the Optimized profile for Windows, and then click the Log Collection tab to display the full list of paths.
    Note: The optimized configuration profile monitors files in a specific set of locations. Because the locations of the monitored files are limited, the optimized profile cannot guarantee that the LevelBlue Agent is tracking all user interaction with secured files. This means that the optimized agent profile on its own doesn’t satisfy PCI DSS Requirement 10.
  • Full: The full (verbose) profile collects and stores most Windows event types, ignoring a few events that provide little value as determined by the LevelBlue Labs™ team. For a list of the log collection paths monitored by this profile, go to Data Sources > Agents > Configuration Profiles, and click the Full profile for Windows, and then click the Log Collection tab to display the full list of paths. Using this profile could have a significant impact on your data consumption. See Subscription Management for more information about how USM Anywhere manages data consumption and storage.
  • Optimized: The optimized profile reduces data consumption by filtering certain events that are not correlated with alarms.
    Note: The optimized configuration profile monitors files in a specific set of locations. Because the locations of the monitored files are limited, the optimized profile cannot guarantee that the LevelBlue Agent is tracking all user interaction with secured files. This means that the optimized agent profile on its own doesn’t satisfy PCI DSS Requirement 10.
  • Full: The profile collects and stores all macOS events. Using this profile could have a significant impact on your data consumption. See Subscription Management for more information about how USM Anywhere manages data consumption and storage.
In the Configuration Profiles view, you can click the individual profile name to display the queries executed by the agent and their frequencies. If you are looking for a specific type of log, enter text in the Search field, and then click the icon to filter the query list.
Note: An agent event named “Outbound Connections” indicates that the agent found an open socket with an external IP address. LevelBlue recommends that you check the firewall logs to find matching events that can help clarify the communication process.
If you want to see the specific file paths included in the profile’s file integrity monitoring (FIM), click the File Integrity tab to display these paths by category.
Note: Currently, the Windows FIM paths are as follows:C:\Windows\System32\drivers\etc\hostsC:\autoexec.batC:\config.sysC:\boot.iniMore Windows FIM paths will be added in future updates.
To display the agent configuration profiles
  1. Go to Data Sources > Agents.
  2. Click Configuration Profiles.
  3. Review and select the configuration profile you want to use by default.
    Important: The Experimental Profiles are temporary and internal. Do not use them unless you have instructions from the LevelBlue Technical Support department.

Assign LevelBlue Agent Configuration Profiles to Assets

You can assign a specific LevelBlue Agent configuration profile to an asset from the assets list page or asset details page. To assign an agent profile using the actions list
  1. Go to Environment > Assets.
  2. Select the asset, and then click Actions > Assign Agent Profile.
  3. Select the agent profile you want to assign to the selected asset.
    USM Anywhere displays an informative message if assets exist but do not have agents deployed.
  4. Click Save.
To assign an agent profile from the Asset Details page
  1. Go to Environment > Assets.
  2. Locate the asset and click the icon next to name of the asset you want to assign the specific agent configuration profile, and then select Full Details.
  3. Click Agent.
  4. Click the Configuration Profile drop-down menu, and then select the profile you want to assign.
To assign an agent profile from the Configure Asset dialog box
  1. Go to Environment > Assets.
  2. Locate the asset, click the icon next to the name of the asset you want to assign the specific agent configuration profile, and then select Configure Asset.
    Important: The Agent Profile field displays if the agent is connected and the user has the role of Manager.
  3. Choose the agent profile you want to assign to the selected asset.
    USM Anywhere displays an informative message if assets exist but do not have agents deployed.
  4. Click Save.

Assign LevelBlue Agent Configuration Profiles to Asset Groups

To assign a LevelBlue Agent configuration profile to an asset group
  1. Go to Environment > Asset Groups.
  2. Next to the asset group that you want to assign the profile, click the icon , and then select Full Details.
  3. Select Actions > Assign Agent Profile.
  4. Choose the agent profile you want to assign to the selected asset group.
  5. Click Save.
I