USM Anywhere Sensor Deployment on Microsoft Azure
This topic discusses the following subtopics:
About USM Anywhere Deployment on Azure
Requirements for USM Anywhere Sensor Deployment on Azure
Deploying the USM Anywhere Sensor from the Azure Marketplace
Deploying the USM Anywhere Sensor in the Web Interface
Creating an Application and Obtaining Azure Credentials
Completing the Azure Sensor Setup
Creating a New Azure Collection Job
98
98
99
102
105
108
121
USM Anywhere™ Deployment Guide 97
About USM Anywhere Deployment on Azure
About USM Anywhere Deployment on Azure
If your organization uses multiple subnets to allow communication between headquarters and remote offices, we recommend that you deploy a sensor to each.
Alternatively, you can deploy a USM Anywhere Sensor in a single virtual network. If you deploy a sensor to only a single virtual network in your Azure subscription, you'll see Azure Insight logs for the entire subscription.
USM Anywhere automatically discovers your use of the following logs without the need for enablement on the Azure subscription side, as long as you have given the Azure resource subscription contributor-level permissions: l
Azure REST Monitor (formerly Azure Insight) logs l
Azure SQL Server logs
Note: USM Anywhere only collects SQL Server logs stored as tables. It does not collect logs stored as Binary Large OBjects (BLOB)s.
l
Azure IIS logs l
Azure Windows logs l
Azure Security Alerts
Requirements for USM Anywhere Sensor Deployment on Azure
To ensure that you can successfully monitor all of your Azure resource groups, using the
USM Anywhere Sensor, you should possess the following.
AWS Sensor Requirements l
An Azure account with privileges in the resource group or subscriptions in which you want to install the USM Anywhere Sensor l
Within the Azure portal, you should already have the following: o
Administrative access to Active Directory within Azure
This allows you to create an application in which to install resource groups or subscription for monitoring.
o
A virtual network inside the resource group o
A subnet inside the virtual network o
A storage account
98 USM Anywhere™ Deployment Guide
Deploying the USM Anywhere Sensor from the Azure Marketplace
Azure Resource Groups Monitoring Requirements
You can deploy one USM Anywhere Sensor to monitor all of your Azure resource groups. To do this, you must assign the application you create to the entire subscription.
Application Service Dependencies
The following is a list of outbound IP addresses and ports used by USM Anywhere for its Azure sensor deployment.
Outbound Ports and Protocols
A deployed USM Anywhere Sensor requires opening the firewall for communication with USM
Anywhere in the cloud for the following ports and protocols: l
SSL over TCP on port 7100 l
HTTP over port 80 for product updates l
Amazon Web Services IPs over ports 443 and 7100 l
Access to
*.alienvault.cloud
over port 443 l
SSH over port 22 for USM Anywhere Remote Support
Inbound Ports
You do not need to open any inbound ports in the firewall of your local network, because the USM
Anywhere Sensor receives no inbound connections from outside the firewall.
When you configure plugins to forward log data to the USM Anywhere Sensor from within your local network, the sensor receives inbound connections through port 514 over syslog.
Deploying the USM Anywhere Sensor from the Azure Marketplace
To deploy a USM Anywhere Sensor for Azure
1. Go to https://www.alienvault.com/products/usm-anywhere/sensor-downloads and click the
Sensor Download arrow next to Azure.
This takes you to the Microsoft Azure Login page.
2. Click your username and, on the next page, type your password and click Sign in.
3. On the USM Anywhere License page, review the details of the license, then click Create.
USM Anywhere™ Deployment Guide 99
Deploying the USM Anywhere Sensor from the Azure Marketplace
100
This takes you to the Create Virtual Machine Basics page.
4. Complete the following fields within the Basics blade of the page: a. Name — Name you want to give the virtual machine for your USM Anywhere Sensor.
b. VM disk type — Indicate whether you use HDDs or SSDs.
c. User name— Type your SSH username. For access to the AlienVault console, this must be sysadmin
.
d. Authentication type — Indicate whether you use an SSH Public key or a password for SSH access.
e. Subscription — Select the subscription into which USM Anywhere Sensor should be installed.
f. Resource Group — Indicate whether you want to install the USM Anywhere Sensor into an existing resource group or into a new resource group. If new, type a unique name.
USM Anywhere™ Deployment Guide
Deploying the USM Anywhere Sensor from the Azure Marketplace g. Location — If you are using a new resource group, indicate the region for the
USM Anywhere Sensor. Otherwise, leave it blank.
h. Click OK.
5. In the Choose a Size blade, select the instance size of your virtual machine.
Although you can select any size, AlienVault recommends the following instance sizes: l
HDD instances — D2 standard l
SSD instances — DS2 premium
6. Click Select.
7. In the Settings blade, complete the following fields to indicate storage and network preferences: a. Storage Account — Select the storage account that the USM Anywhere Sensor should use.
o
If HDD was selected, a standard storage account will be requested.
o
If SSD was selected, a premium storage account will be requested.
b. Network — Indicate the name of the network where the USM Anywhere Sensor should be installed.
Make sure you install the USM Anywhere Sensor in the network where the assets reside that you want to monitor.
c. Extensions — Leave blank.
d. High availability — Leave blank.
e. Monitoring — Leave it disabled unless you want to store USM Anywhere Sensor logs for monitoring purposes.
8. Click OK.
9. On the Summary blade, review the values you previously entered, then click OK.
10. On the Purchase blade, review the cost summary.
USM Anywhere™ Deployment Guide 101
Deploying the USM Anywhere Sensor in the Web Interface
102
11. Click Purchase.
After you click Purchase, the deployment of the USM Anywhere Sensor starts. This can take up to six minutes.
12. After deployment finishes, access the public IP by reviewing the virtual machine summary.
Paste this IP address into a browser window to launch the USM Anywhere web interface.
Deploying the USM Anywhere Sensor in the Web Interface
l
Launching the First USM Anywhere Sensor in the Web Interface
l
Configuring Login Credentials
l
Adding Another USM Anywhere Sensor to Your Azure Subscription
Launching the First USM Anywhere Sensor in the Web Interface
This procedure gives you access to the sensor through the USM Anywhere web interface, where you initiate a connection to the cloud.
You perform this procedure after
deploying
the USM Anywhere Sensor within your Azure subscription.
USM Anywhere™ Deployment Guide
Deploying the USM Anywhere Sensor in the Web Interface
To set up the USM Anywhere Sensor for Azure in the web interface
1. After deployment finishes, locate the public IP of the virtual machine by reviewing the virtual machine summary.
You'll need this IP address in the next procedure.
Configuring Login Credentials
Configure the Initial Login Credentials
When you link to a newly-provisioned USM Anywhere instance, you must configure the password for the initial user account, which is the default administrator as defined in your subscription.
To configure login credentials
1. Click the link in the welcome message.
This displays a prompt to set the password to use for the default administrator of USM
Anywhere.
2. Enter the password, and again to confirm.
USM Anywhere requires a minimum password length of eight characters, with a maximum length of 128 characters. The password must combine numerical digits (0-9), uppercase letters
(A-Z), and lowercase letters (a-z). Special characters, such as hyphen (-) and underscore (_) are supported, but optional.
USM Anywhere™ Deployment Guide 103
Deploying the USM Anywhere Sensor in the Web Interface
Note: USM Anywhere passwords expire after 90 days. When your password expires,
USM Anywhere enforces the password change when you next log into the system using the current (now expired) password. A new password must be different than the previous four passwords.
3. Click Save & Continue.
4. When the login page appears, enter the password you just set, select acceptance of the terms of service, and click Login.
104
Adding Another USM Anywhere Sensor to Your Azure Subscription
To add an additional USM Anywhere Sensor
1. From the USM Anywhere primary task bar, select SETTINGS > DEPLOYMENT.
2. Click NEW SENSOR.
A new sensor authentication code displays in the SENSOR AUTHENTICATION CODES of the page.
3. Copy the key to the clipboard and keep the instance in the background for use later on in this procedure.
4. Repeat the steps for
Deploying the USM Anywhere Sensor from the Azure Marketplace .
5. Repeat the steps in this topic for
Launching the First USM Anywhere Sensor in the Web Interface , but in step 6 of that procedure, paste the Activation key that you saved in step 3 of this pro-
cedure because you will be prompted for these. See
Creating an Application and Obtaining
Azure Credentials .
USM Anywhere™ Deployment Guide
Creating an Application and Obtaining Azure Credentials
Creating an Application and Obtaining Azure Credentials
l
About Creating an Application and Obtaining Azure Credentials
l
Obtaining the Azure Credentials Manually
About Creating an Application and Obtaining Azure Credentials
Before you can use USM Anywhere to monitor your Azure subscription, you must create an application that grants permission to USM Anywhere to fetch data using the Azure SDK and Azure
Rest API.
Important: You must have global administrator privileges to create an application and obtain credentials.
If you're a Windows OS user, you can do this in two ways: l
Using a Powershell script
available through the USM Anywhere Setup wizard
.
l
Manually within your Azure subscription.
If you're not a Windows OS user, you'll need to generate these manually from your Azure subscription.
The credentials are:
Azure Credential azure_tenant_id azure_subscription_id azure_application_id azure_application_key
USM Anywhere Field Name
Azure Tenant ID
Azure Subscription ID
Azure Application ID
Azure Application Key
Obtaining the Azure Credentials Manually
Use the following procedure to obtain Azure credentials if your operating system is either Linux or macOS.
USM Anywhere™ Deployment Guide 105
Creating an Application and Obtaining Azure Credentials
Obtaining the Azure Subscription ID
To get the Azure subscription ID
1. Log into the Microsoft Azure Portal ( https://portal.azure.com
).
2. From the Azure Dashboard, select Subscriptions.
3. From the Subscription page, copy your Subscription ID, and save it somewhere where it won't be overwritten.
106 USM Anywhere™ Deployment Guide
Creating an Application and Obtaining Azure Credentials
Creating the Application
To create the application and obtain the remaining Azure credentials (tenant ID, application ID, and application key), you must complete Microsoft Azure's standard procedure for its new portal . If you don't perform this task, you'll be unable to deploy your USM Anywhere Sensor for Azure.
Associating the Application to the Entire Subscription
If you want to use USM Anywhere to monitor all of your Azure resources, you can associate it with your Microsoft Azure subscription as a whole.
To associate the application with the entire subscription
1. Log into the new Microsoft Azure portal ( https://portal.azure.com
).
2. Go to More Services > Subscriptions and double-click yours.
3. From the <name-of-your-subscription blade>, select Access control (IAM).
This reveals a new blade, showing the roles and permissions that exist.
4. At the top of the blade, click Add, then select the Contributor role.
This allows users to fetch new Azure logs.
5. Select the Service principal you created previously to assign the role to the subscription. Then click Save and OK.
The system responds with the message:
Added user. <User_names> were added as Contributor for <name-of-yoursubscription>.
USM Anywhere™ Deployment Guide 107
Completing the Azure Sensor Setup
Completing the Azure Sensor Setup
After you initialize a new USM Anywhere Sensor, you must configure it in the setup wizard. As part of configuration, you can schedule applications to perform specific actions, like running an asset discovery scan or collecting security events from a predefined cloud storage location.
Accessing the Setup Wizard
The Setup Wizard launches under the following circumstances: l
When you first log into the USM Anywhere web interface and see the WELCOME TO USM
ANYWHERE page, click Get Started.
l
If you configured a first sensor, but did not complete the setup and then logged out, the Setup wizard launches to remind you to finalize configuration on the remaining sensors when you log in again.
l
When you select SETTINGS > DEPLOYMENT and click the configure icon for the sensor.
Any unconfigured sensor displays a red x in the Configuration column.
Configuring the Azure Sensor in the Setup Wizard
The first time you log into the web interface from the WELCOME TO USM ANYWHERE web page, the Setup Wizard prompts you to complete the configuration of the first deployed sensor. Thereafter, you can use the wizard to add an additional sensor or to change a sensor configuration.
From the WELCOME TO USM ANYWHERE page (not shown), click Get Started. Within the
Setup Wizard, complete the configuration on each page.
108 USM Anywhere™ Deployment Guide
Completing the Azure Sensor Setup
AZURE CREDENTIALS
To complete the Azure sensor configuration, you must obtain Azure API credentials for the subscription that you want USM Anywhere to monitor. Select the option on the
AZURE CREDENTIALS page that matches your current Azure credential creation status: l
If you already generated your Azure credentials, click Yes, I have my Azure credentials and am ready to enter them.
l
If you don't yet have your Azure credentials, click No, I don't have my Azure credentials and need to create them.
l
If you're not sure, click I am not sure. Show me how to create my Azure credentials.
USM Anywhere™ Deployment Guide 109
Completing the Azure Sensor Setup
If you select No or I am not sure, the page provides options for two creation methods:
If you select Yes, follow the steps in
Configuring the Azure Credentials After Manual Credential
Generation .
Obtaining the Azure Credentials for Windows Users
This procedure is for Windows users who want to use the Powershell script to generate their credentials for sensor configuration.
1. Select Create credentials automatically using a Powershell script (Recommended).
The page automatically launches a download of the Powershell script. You can use the browser tools to save the file to the appropriate location on your system.
110 USM Anywhere™ Deployment Guide
Completing the Azure Sensor Setup
2. Run the script as administrator on your Windows operating system.
Note: If you have multiple Azure subscriptions, the script prompts you to identify which one you want USM Anywhere to monitor.
When the script finishes it creates a text file that saves to your Desktop.
3. In USM Anywhere, drop the Azure credentials text file onto the page displayed or click the select USM_Anywhere_Azure_Credentials.txt from your desktop link to locate, select, and upload the file.
USM Anywhere™ Deployment Guide 111
Completing the Azure Sensor Setup
112
4. Verify that the status at the top of the page displays the message:
Valid Credentials
Creating the Azure Credentials Manually
1. Select Learn how to create Azure credentials manually.
This opens the
Creating an Application and Obtaining Azure Credentials
page in a new browser tab or window.
2. Follow the instructions for creating the needed credentials.
3. Return to USM Anywhere, then click the Back button to display the first to the AZURE
CREDENTIALS page.
Configuring the Azure Credentials After Manual Credential Generation
This procedure is for non-Windows users who generated their Azure credentials manually and who are ready to configure the sensor.
1. Select the Yes option, and in the next page click the Enter previously created Azure credentials manually link at the bottom of the page.
2. Enter the Azure API credentials you
generated in the Azure console
into the appropriate fields.
USM Anywhere™ Deployment Guide
Completing the Azure Sensor Setup
3. Click Save Credentials.
4. Verify that the status at the top of the page displays the message:
Valid Credentials
When the credentials are configured, click Next.
The wizard displays the next page in the setup process, AZURE CONFIGURATION.
USM Anywhere™ Deployment Guide 113
Completing the Azure Sensor Setup
AZURE CONFIGURATION
After you've successfully configured the Azure credential, the AZURE CONFIGURATION page appears. This page summarizes the number of Azure virtual machines (VMs), resource groups, and
VM sizes in your environment.
114
Click Next.
The wizard displays the next page in the setup process, AZURE LOG COLLECTION.
AZURE LOG COLLECTION
The AZURE LOG COLLECTION page displays the following Azure logs discovered by
USM Anywhere in your environment: l
Azure REST Monitor (formerly Azure Insight) l
Azure SQL Server logs l
Azure IIS logs l
Azure Windows logs l
Azure Security Alerts
Note: USM Anywhere only collects SQL Server logs stored as tables. It does not collect logs stored as Binary Large OBjects (BLOB)s.
USM Anywhere™ Deployment Guide
Completing the Azure Sensor Setup
When you enable any of these log collection jobs, USM Anywhere starts collecting data from them at the frequency you configure.
Note: If you look at ACTIVITY > EVENTS in USM Anywhere post-configuration, you can see all of the events associated with each log, including its Event ID and many other useful details.
You can also review related log collection jobs in the JOB SCHEDULER (either SETTINGS >
SCHEDULER or USERS > SCHEDULER).
To enable the out-of-box Azure log collection jobs, toggle the gray ENABLE icon so that it turns into a green check mark. USM Anywhere immediately starts collecting log data for the jobs you've enabled.
After you enable each job that you want, click Next.
The wizard displays the next page in the setup process, ACTIVE DIRECTORY.
ACTIVE DIRECTORY
The optional ACTIVE DIRECTORY setup page configures USM Anywhere to collect information from your Azure Active Directory (AD) account. To monitor Windows systems effectively,
USM Anywhere needs access to AD (Active Directory) server to collect inventory information.
AlienVault recommends that you create a dedicated AD account with membership in the Domain
Admins group to be used by USM Anywhere to log in into the Windows systems. You also need to activate WinRM in the Domain Controller and in all the hosts that you want to scan. You can do this by using a group policy for all the systems in your Active Directory.
Important: Before this feature is fully functional, you must allow access to the USM Anywhere
Sensor in the Active Directory server. For more information see,
Granting Access to Active
Directory for USM Anywhere
.
USM Anywhere™ Deployment Guide 115
Completing the Azure Sensor Setup
To complete the AD access configuration
1. Provide the AD credentials for USM Anywhere: l
Active Directory IP Address — Enter the IP address for the AD instance.
l
Username — Enter your username as administrator of the account.
l
Password — Enter your administrator's password.
l
Domain — Enter the domain for the AD instance.
116
2. Click Scan Active Directory.
After a successful launch of the scan, a confirmation dialog appears.
USM Anywhere™ Deployment Guide
Completing the Azure Sensor Setup
3. Click Accept.
The scan continues in the background.
Upon completion, another dialog appears and provides information about the number of assets
USM Anywhere discovered. It also prompts you to decide if you want to scan for hosts and services running in your environment.
Click CANCEL to opt out of this scan.
4. (Optional) If you want to scan for other hosts and services, click OK.
5. Click Next after the scan ends.
The wizard displays the next page in the setup process, LOG MANAGEMENT.
LOG MANAGEMENT
On the LOG MANAGEMENT page, you see the IP addresses of the assets you added during the asset discovery configuration. You also see the port number. (The port is the same for all
USM Anywhere Sensors.)
USM Anywhere collects third-party device data through syslog on port 514 by default. To configure any third-party devices to send data to USM Anywhere, you must give them the IP address of your
USM Anywhere Sensor and the port number.
USM Anywhere™ Deployment Guide 117
Completing the Azure Sensor Setup
118
Make sure that you've granted the necessary permissions for your operating system to allow
USM Anywhere to access its logs. You can also integrate a wide variety of plugins to send log data over syslog to the USM Anywhere Sensor.
To find out how to configure your operating system and supported third-party devices to forward syslog log data, see the following related topics: l
Log collection from a Linux System —
Collecting Logs from a Linux System .
l
Log collection from a Windows System —
Collecting Logs from a Windows System
.
l
Log collection from other devices using a plugin —
USM Anywhere Plugin Integration and Enablement .
Note: Because the log scan can take some time, you may not immediately see all the automatically discovered log sources right after deploying the first sensor.
When you've finished the log collection setup and integrated any needed plugins, verify that the data transfer is occurring.
Click Next when this step is complete.
USM Anywhere™ Deployment Guide
Completing the Azure Sensor Setup
THREAT INTELLIGENCE
On the Threat Intelligence page, you can connect the deployed sensor to your AlienVault®
Open Threat Exchange® (OTX™) account. OTX is an open information-sharing and analysis network that provides access to real-time information about issues and attack threats that may impact your organization, allowing you to learn from and work with others who have already experienced such attacks. AlienVault Labs and other security researchers constantly monitor, analyze, reverse engineer, and report on sophisticated threats including malware, botnets, phishing campaigns, and more. An OTX pulse consists of one or more indicators of compromise (IOCs) that constitute a threat or define a sequence of actions that could be used to carry out an attack.
When you configure the OTX connection, the USM Anywhere Sensor receives raw pulse data from
OTX. After the deployed sensor starts to receive this data, USM Anywhere correlates that data and generates related OTX pulse and IP Reputation-related security events and alarms when it detects
IOCs interacting with assets in your environment. These events are displayed in the Open Threat
Exchange dashboard, which is available from the DASHBOARDS menu.
Note: If you do not already have an OTX account, click the Signup for an OTX account link in the page. This opens another browser tab or window that displays the OTX signup page. After you confirm your email address, you can log into OTX and retrieve the unique API key for your account.
1. Log into OTX and open the API page ( https://otx.alienvault.com/api/ ).
2. In the DirectConnect API Usage panel, click the Copy ( ) icon to copy your unique
OTX connection key.
3. Return to the Threat Intelligence page of the USM Anywhere Sensor setup wizard and paste the value in the OTX Key text box.
USM Anywhere™ Deployment Guide 119
Completing the Azure Sensor Setup
120
4. Click Validate OTX Key.
With a successful validation of the key, the status at the top of the page changes to Valid
OTX key.
Click Next when this task is complete.
USM Anywhere™ Deployment Guide
SETUP COMPLETE
The Congratulations! page summarizes the status of your configuration.
Creating a New Azure Collection Job
Click Start Using USM Anywhere, which takes you to the Overview dashboard.
Next...
Now's a great time to run a vulnerability scan. You can learn how to run a vulnerability scan by going to Vulnerability Assessment in the USM Anywhere User Guide .
Creating a New Azure Collection Job
Use this procedure to either schedule an Azure REST Monitor (formerly known as Azure Insights)
Log job or to find all Azure Virtual Machines.
You do not need to do anything to enable Azure REST Monitor Logs in the Azure Portal for
USM Anywhere to be able to find them. USM Anywhere automatically discovers Azure logs and displays them in the Scheduler (System Configuration > Scheduler).
USM Anywhere™ Deployment Guide 121
Creating a New Azure Collection Job
Note: What an Insight Log scans depends on whether you granted contributor permissions to one of your resources or to your entire Azure subscription for the USM Anywhere application.
Give access to individual resource groups or the whole subscription. For details, see
Creating an Application and Obtaining Azure Credentials .
To schedule a job to process Azure REST Monitor events (or find Azure virtual machines)
1. From System Configuration > Scheduler, locate the USM Anywhere Azure Sensor you want to run the log for and, within the far-right column, select Enable.
2. In the Schedule New Job dialog box, complete the fields as shown below: a. Name — Give the job a name.
b. Description — Describe the job in such a way that others easily understand what it does.
c. Select App — Select the Azure sensor to scan.
d. App Action — From the list, select the appropriate action to take, for example, Process
Azure Insight Logs.
e. Schedule — Select whether you want the job to occur within increments of minutes, hours, daily, weekly, monthly, or yearly. Then select the number, for example, every two hours or at a particular time of day, daily. (Time is UTC.)
122 USM Anywhere™ Deployment Guide
f. Click Save.
Creating a New Azure Collection Job
USM Anywhere™ Deployment Guide 123
