Requirements for AWS Sensor Deployment
USM Anywhere deploys the Amazon Web Services (AWS) Sensor in the Amazon Elastic Compute Cloud (EC2) platform through the Amazon Virtual Private Cloud (VPC).
This table includes the requirements for the AWS Sensor deployment.
AWS Sensor Deployment Requirementsm5.large instance | An m5.large instance in an Amazon VPC. |
100GB EBS /data volume | The Amazon Elastic Block Store (EBS) provides short-term storage for your data as it is processed. A 100GB Amazon EBS /data volume is designated as the default size for optimal performance. |
Internet connection to the USM Anywhere secure cloud | Review the Sensor Ports and Connectivity for more information.
|
Important: Because the needs of a sensor differ based on the varying demands of different deployment environments and the complexity of events being processed, the number of events per second (EPS) throughput a sensor can process varies.
Depending on your environment, you may need to deploy additional sensors to ensure that all events are processed.
Note: Support for AWS classic sensor has been deprecated. Only virtual private cloud (VPC) deployments are supported.
AWS Sensor Deployment Regions
The AWS Sensor is deployed in one of the AWS endpoint regions based on your location. The following table lists the code and name of each region.
Important: The Update Server and the AlienVault Agent always use the 3.235.189.112/28 range no matter where your USM Anywhere is deployed. The AT&T TDR for Gov Update Server uses the 3.32.190.224/28 range.
AWS Regions for AWS Sensor Deploymentap-northeast-1 | Asia Pacific (Tokyo) |
ap-northeast-2 | Asia Pacific (Seoul) |
ap-northeast-3 | Asia Pacific (Osaka) |
ap-south-1 | Asia Pacific (Mumbai) |
ap-southeast-1 | Asia Pacific (Singapore) |
ap-southeast-2 | Asia Pacific (Sydney) |
ca-central-1 | Canada (Central) |
eu-central-1 | Europe (Frankfurt) |
eu-north-1 | Europe (Stockholm) |
eu-west-1 | Europe (Ireland) |
eu-west-2 | Europe (London) |
eu-west-3 | Europe (Paris) |
sa-east-1 | South America (São Paulo) |
us-east-1 | US East (N. Virginia) |
us-east-2 | US East (Ohio) |
us-west-1 | US West (N. California) |
us-west-2 | US West (Oregon)
|
Note: Though your sensor is deployed to one region it will monitor all regions, pulling assets, logs, and other data regardless of region.
Application Service Dependencies
With the AWS CloudFormation Template provided by AT&T Cybersecurity, you can automatically deploy USM Anywhere as a service into your environment. Review the following tables for information about the outbound and inbound IP addresses, ports, and services used by USM Anywhere.
Note: To launch the USM Anywhere Sensor web UI during the initial setup, you need to allow inbound traffic to the sensor IP address through TCP port 80. You can remove access to this port after the sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to this port from the Internet.
The following tables list the inbound and outbound ports.
Sensor Ports and Connectivity (Outbound Ports)TCP | 443 | update.alienvault.cloud | Communication with AT&T Cybersecurity for initial setup and future updates of the sensor. |
TCP | 443 | reputation.alienvault.com | Ongoing communication with AT&T Alien Labs™ Open Threat Exchange® (OTX™). |
TCP | 443 | otx.alienvault.com | Ongoing communication with OTX to retrieve vulnerability scores. Connecting to otx.alienvault.com is not required but highly recommended. OTX uses the AWS Cloudfront services. Refer to the AWS IP address ranges page when you deploy a new sensor. This page contains the current IP address ranges for the service and instructions on how to filter the addresses. |
TCP | 443 | Your USM Anywhere subdomain .alienvault.cloud Your USM Anywhere subdomain .gov.alienvault.us (for AT&T TDR for Gov)
| Ongoing communication with USM Anywhere. |
SSL/TCP | 7100 | Your USM Anywhere subdomain .alienvault.cloud Your USM Anywhere subdomain .gov.alienvault.us (for AT&T TDR for Gov) | Ongoing communication with USM Anywhere. |
UDP | 53 | DNS Servers (Google Default) | Ongoing communication with USM Anywhere. |
UDP | 123 | 169.254.169.123 | Sync with network time protocol (NTP) services. |
TCP | 22 and 443 | prod-usm-saas-tractorbeam.alienvault.cloud prod-gov-usm-saas-tractorbeam.gov.alienvault.us (for AT&T TDR for Gov) | SSH communications with the USM Anywhere remote support server. See Troubleshooting and Remote Sensor Support for more information about remote technical support through the USM Anywhere Sensor console. |
TCP | 443 | geoip-us-west-2-prod.alienvault.cloud
geoip-us-east-1-prod.alienvault.cloud
geoip-sa-east-1-prod.alienvault.cloud
geoip-eu-west-1-prod.alienvault.cloud
geoip-eu-west-2-prod.alienvault.cloud
geoip-eu-central-1-prod.alienvault.cloud
geoip-ca-central-1-prod.alienvault.cloud
geoip-ap-southeast-2-prod.alienvault.cloud
geoip-ap-northeast-1-prod.alienvault.cloud | Allows resolution of IP addresses for geolocation services. It is only necessary to whitelist the GeoIP address that corresponds to the region where your USMA instance is hosted. |
Important: A USM Anywhere Sensor deployed in AWS might require outbound access to specific AWS resources, based on the sensor app in use. For example, the AWS Sensor app must have the ability to connect to the AWS API (port 443). However, the actual API endpoint might be different depending on the service (such as Amazon Simple Storage Service [S3] or Amazon CloudWatch).
USM Anywhere normally gives systems explicit access to the AWS API.
Sensor Ports and Connectivity (Inbound Ports)SSH | 22 | Inbound method for secure remote login from a computer to USM Anywhere. |
HTTP | 80 | Inbound communication for HTTP traffic. |
UDP (RFC 3164) | 514 | USM Anywhere collects data through syslog over UDP on port 514 by default. |
TCP (RFC 3164) | 601 | Inbound communication for reliable syslog service. USM Anywhere collects data through syslog over TCP on port 601 by default. |
TCP (RFC 5424) | 602 | USM Anywhere collects data through syslog over TCP on port 602 by default. |
Traffic Mirroring | 4789 | Inbound communication for virtual extensible local area network (VXLAN). |
WSMANS | 5987 | Inbound WBEM WS-Management HTTP over Secure Sockets Layer/Transport Layer Security (SSL/TLS) (NXLog). |
TLS/TCP (RFC 3164) | 6514 | USM Anywhere collects TLS-encrypted data through syslog over TCP on port 6514 by default. |
TLS (RFC 5424) | 6515 | USM Anywhere collects data through syslog over TLS on port 6515 by default. |
Graylog | 12201 | Inbound communication for Graylog Extended Log Format (GELF).
|
Security Groups in Your AWS VPC
For sensor deployment in an AWS VPC, the AWS CloudFormation template automatically creates the security groups needed for network connectivity between the instances within the VPC. However, this does require that you manually assign the USMServicesSG security group to your hosts to enable access to the UDP port 514 so that the sensor can receive syslog packet transmissions.
See Enable Connections in an AWS VPC for more detailed information about these security groups.
AWS Services
USM Anywhere uses the following AWS services:
Amazon CloudWatch
AWS CloudTrail
AWS Elastic Load Balancing (ELB)
Amazon Simple Storage Service (S3)
Amazon EC2
AWS Identity and Access Management (IAM)
Amazon GuardDuty
Amazon Relational Database Service (RDS)
See IAM Roles and Permissions Required by Your AWS Sensor for a full description of the IAM roles and permissions that your AWS Sensor requires for these AWS services.
Note: USM Anywhere uses us-east-1 as a default region in the amazon-aws app. As a result, you might want to verify whether your Sensors are communicating with us-east-1, even if you have never deployed to that region.
USM Anywhere IP Addresses for Whitelisting
Your sensor is connected to a USM Anywhere instance deployed in one of the Amazon Web Services (AWS) endpoint regions based on your location. If you need to configure your firewall to allow communication between the sensor and the USM Anywhere instance, refer to the following table with the reserved IP address ranges for each region.
Important: The Update Server and the AlienVault Agent always use the 3.235.189.112/28 range no matter where your USM Anywhere is deployed. The AT&T TDR for Gov Update Server uses the 3.32.190.224/28 range.
The regional IP ranges listed in this table are limited to the Control Nodes (subdomain). You must also meet all requirements provided in the Sensor Ports and Connectivity (Outbound Ports) table.
AWS Regions Where USM Anywhere Instance Is Availableap-northeast-1 | Asia Pacific (Tokyo) | 18.177.156.144/28 3.235.189.112/28 44.210.246.48/28 |
ap-south-1 | Asia Pacific (Mumbai) | 3.7.161.32/28 3.235.189.112/28 44.210.246.48/28 |
ap-southeast-2 | Asia Pacific (Sydney) | 3.25.47.48/28 3.235.189.112/28 44.210.246.48/28 |
ca-central-1 | Canada (Central) | 3.96.2.80/28 3.235.189.112/28 44.210.246.48/28 |
eu-central-1 | Europe (Frankfurt) | 18.156.18.32/28 3.235.189.112/28 44.210.246.48/28 |
eu-west-1 | Europe (Ireland) | 3.250.207.0/28 3.235.189.112/28 44.210.246.48/28 |
eu-west-2 | Europe (London) | 18.130.91.160/28 3.235.189.112/28 44.210.246.48/28 |
sa-east-1 | South America (São Paulo) | 18.230.160.128/28 3.235.189.112/28 44.210.246.48/28 |
us-east-1 | US East (N. Virginia) | 3.235.189.112/28 44.210.246.48/28 |
us-west-2 | US West (Oregon) | 44.234.73.192/28 3.235.189.112/28 44.210.246.48/28 |
us-gov-west-1 | AWS GovCloud (US-West) | 3.32.190.224/28
|
Installation Prerequisites
Before you install the AWS Sensor, make sure you have the following prerequisites available.
Installation PrerequisitesAWS CloudFormation template provided by AT&T Cybersecurity | The AWS CloudFormation template automatically creates all required AWS resources for deployment, including an IAM role and instance profile for use by the USM Anywhere Sensor instance. URLs for these templates are included in the Deploy the AWS Sensor instructions. |
Privileged user account on AWS | To deploy the AWS CloudFormation template, you must have a privileged user account in AWS with permissions to create IAM resources.
|
Multiple AWS Accounts or Amazon VPCs
If you have multiple AWS accounts, you must deploy the AWS Sensor in each AWS account that you want to monitor.
Amazon VPC enables you to launch AWS resources into a virtual network that you have defined. A single sensor can monitor an entire AWS account, even when it contains multiple Amazon VPCs.
Note: If you intend to use the USM Anywhere vulnerability scanner with the AWS Sensor, you must allow traffic from the sensor and the target instance you are scanning. You can usually accomplish this by using Amazon VPC peering (see the AWS documentation for more information).
Deploy the AWS Sensor
After you review the requirements and make sure that your Amazon Web Services (AWS) environment is configured as needed, you can deploy the AWS Sensor. Using the AWS CloudFormation Template provided by AT&T Cybersecurity, you automatically deploy USM Anywhere as a service into your environment.
The following procedure describes how to launch the AWS Sensor when provisioning the USM Anywhere service for the first time. In this process, you launch the USM Anywhere product from the AWS Management Console using the AWS CloudFormation template.
Important: If you are using these instructions to redeploy an existing AWS Sensor, your IP address will not be the same as for your previous sensor. After these steps are complete, you must also update any syslog or NXLog log collection, and any port mirroring to use the new IP address.
Note: Support for AWS classic sensor has been deprecated. Only virtual private cloud (VPC) deployments are supported.
To create a new sensor in the AWS Management Console
Log in to the AWS Management Console.
Under Find Services, enter a name, keyword, or acronym to launch the AWS CloudFormation service page.
- In the upper right corner, click Create stack, and then select With new resources (standard).
Go to the USM Anywhere Sensor Downloads page, click the icon of your specific sensor, and copy the URL.
Use the copied URL in the Amazon Simple Storage Service (S3) URL field.
Click Next, and then click Next again to continue.
On the Specify stack details page, in the Stack name text box, enter a name to identify the stack.
The name must be one word. Use hyphens if desired. For example, you could call the stack "USM-sensor-1".
Set parameters for the AWS Sensor: Note: The volume size should be prefilled. You can leave this setting at the default value.
- In the USM Anywhere Sensor Name text box, enter a name for the sensor. This is usually the same as the stack name.
- In the Key Name list, select the key pair that allows SSH connections to the sensor. See AWS documentation, Create or import a key pair, for more information.
- In the Traffic Mirroring Mode list, select Yes to deploy a sensor ready for VPC traffic mirroring, or select No to deploy a sensor without those additional considerations.
Note: See Enabling VPC Traffic Mirroring for more information on this feature.
In the HTTP Access Range text box, specify the IP address range that allows HTTP access to the sensor.
In the SSH Access Range text box, specify the IP address range that allows SSH access to the sensor.
- Click Next.
Select the appropriate VPC ID and subnet ID, specify whether to use a public or private IP address, and then click Next.
Important: If you choose to deploy your sensor with a public IP address, the subnet you select must have Auto-assign public IPv4 address enabled.
(Optional.) On the Configure stack options page, set tags for the instance, and then click Next.
On the Review page, select the checkbox at the bottom of the page next to the statement "I acknowledge that AWS CloudFormation might create IAM resources."
- Click Create stack.
In the Stacks page, confirm that your newly-created stack status reads like this:
CREATE_IN_PROGRESS
Stack creation typically takes about 15 minutes. When the stack build is complete, you see the following confirmation:
CREATE_COMPLETE
Note: See the Troubleshooting CloudFormation page for more information about the possible errors with your AWS CloudFormation stack.
After your new stack is complete, click the Outputs tab and locate the URL.
This URL is based on the public IPv4 address of your deployed sensor (http://<ip-address>). Make note of this address so that you have it for configuring your data sources to send data to the AWS Sensor.
See the AWS documentation for more information about managing public IPv4 addresses.
- Click the URL link to launch the USM Anywhere Sensor Setup page.
Connect the AWS Sensor to USM Anywhere
After deploying the Amazon Web Service (AWS) Sensor, you must connect it to USM Anywhere through registration.
Obtain the Authentication Code
You must enter an authentication code when registering the USM Anywhere Sensor. How to obtain the authentication code depends on your USM Anywhere instance and whether this is the first sensor you're deploying.
Instructions for USM Anywhere customers:
If this is your first USM Anywhere Sensor, you must register the sensor using the initial authentication code (starts with a "C") received from AT&T Cybersecurity. With this code, the registration process provisions a new USM Anywhere instance and defines its attributes, such as how many sensors to allow for connection, how much storage to provide, and what email address to use for the initial user account. After registration, you will gain access to the sensor through the USM Anywhere web user interface (UI), where you can complete the sensor setup.
If you are deploying additional sensors, you must generate the authentication code (starts with an "S") for the registration. See Adding a New Sensor for more information.
Instructions for AT&T TDR for Gov customers:
AT&T Cybersecurity has already provisioned the AT&T Threat Detection and Response for Government (AT&T TDR for Gov) instance for you, therefore you won't receive an authentication code for your sensor. This is true regardless if it's the first sensor or additional sensors you're deploying. However, for the first sensor, you'll receive a link to access your instance.For every sensor you deploy, you must generate an authentication code (starts with an "S") for the registration. See Adding a New Sensor for more information. Register Your Sensor
You perform this procedure after deploying the USM Anywhere Sensor within your AWS account. The URL link is displayed after you create the USM Anywhere Sensor stack and the instance is running in your AWS account.
To register your sensor
Click the URL displayed for the running stack in the AWS console.
This opens the Welcome to USM Anywhere Sensor Setup page, which prompts you to provide the information for registering the sensor with your new USM Anywhere instance.
- Enter a sensor name and sensor description.
- Paste the authentication code into the field with the key icon ().
Click Start Setup to start the process of connecting the USM Anywhere Sensor.
It takes about 20 minutes to provision your USM Anywhere instance upon registration of your initial sensor. When this instance is provisioned and running, you’ll see a welcome message that provides an access link.
Use this link to open the secured web console for your USM Anywhere instance. You and the other USM Anywhere users in your organization can access this console from a web browser on any system with internet connectivity.
Note: If this is your first deployment, you'll also receive an email from AT&T Cybersecurity that provides the access link to USM Anywhere.
When you link to a newly provisioned USM Anywhere instance, you must configure the password for the initial user account. This is the default administrator as defined in your subscription.
To configure login credentials
In the welcome message, click the link.
This displays a prompt to set the password to use for the default administrator of USM Anywhere.
Enter the password, and then enter it again to confirm.
Keep in mind these points when you are logging in:
- The login credentials that you set will apply to any USM Anywhere™ and USM Central™ you have access to.
- USM Anywhere requires all passwords to have a minimum length of 8 characters and a maximum length of 128 characters.
- The password must contain numerical digits (0-9).
- The password must contain uppercase letters (A-Z).
- The password must contain lowercase letters (a-z).
- The password must contain special characters, such as hyphen (-) and underscore ( _ ).
Note: USM Anywhere passwords expire after 90 days. When your password expires, USM Anywhere enforces a password change when you next log in. A new password must be different from the previous four passwords. After 45 days of inactivity, your user account will be locked. Manager users can unlock inactive accounts.
- Click Save & Continue.
When the login page opens, enter the password you just set and click Login.
Verify That Your Sensor Is Running
It's a good idea to verify that the USM Anywhere Sensor is running. It also gives you the chance to watch the sensor actively working to find all of your assets and to record events from the start.
Note: Verify that the sensor is running before performing the configuration. You can keep one web browser tab with the Welcome to USM Anywhere page in the background while you perform the verification on a different tab.
To verify that your new sensor is running
In USM Anywhere, go to Data Sources > Sensors.
You should now see your sensor in the page. See USM Anywhere Sensor Management for more information.
After a few minutes, USM Anywhere locates your assets and starts generating events.
You can review the activity in two locations:
From the primary task bar, select Environment > Assets.
From the primary task bar, select Activity > Events.
Note: It could take up to six minutes before events appear. Make sure to refresh your browser from time to time to display the current data.
See Asset List View for more information about the Assets pages. See Events List View for more information about the Events pages.
Complete the AWS Sensor Setup
After you initialize a new USM Anywhere Sensor, you must configure it in the Setup Wizard. As you configure the sensor, you can enable USM Anywhere to perform specific actions through scheduled jobs, such as running an asset discovery scan or collecting security events from a predefined cloud storage location.
About Accessing the Setup Wizard
The Setup Wizard is accessible under the following circumstances:
- After you first log in to the USM Anywhere web user interface (UI) and see the Welcome to USM Anywhere page, click Get Started to launch the Setup Wizard.
- If you have already registered one USM Anywhere Sensor but did not complete the setup before logging out, the USM Anywhere Sensor Configuration page launches automatically at your next login to remind you to finalize configuration of the sensor. From that page, you click Configure to launch the Setup Wizard and complete the sensor configuration.
- If you registered an additional USM Anywhere Sensor, but did not complete the setup, the Sensors page displays an error () in the Configured column. See Sensors Page Overview for more information.
Go to Data Sources > Sensors, and then click the sensor name to complete the sensor configuration. See USM Anywhere Sensor Management for more information.
Configuring the Sensor in the Setup Wizard
The first time you log in from the Welcome to USM Anywhere web page, the Setup Wizard prompts you to complete the configuration of the first deployed sensor. Thereafter, you can use the Sensors page to configure an additional sensor or to change the configuration options for a deployed sensor. See Sensors Page Overview for more information.
The Amazon Web Services Configuration page provides information about the asset discovery that occurs upon the initial deployment of the USM Anywhere Sensor, summarizing the number of instances, instance types, and regions in your environment.
Click Next to proceed with the Setup Wizard and complete additional configuration on each page.
Network Security Monitoring
The Network Security Monitoring page shows the status of the network interfaces monitored by the sensor (it could take a few moments to load the interfaces). All network adapters are configured for network monitoring by default.
You must manually enable port mirroring or port spanning, promiscuous mode, or both in a virtual switch to send a copy of the network traffic you want to analyze to these interfaces. This page provides links to documentation about how to configure your networking to allow for the interfaces to see the network traffic and perform network intrusion detection.
USM Anywhere connectivity and communications are handled by the first network interface connection on the Network Security Monitoring page. This is the primary network that provides asset scanning and log collection for the particular network.
You can connect additional interfaces to other networks for monitoring, or connect them to individual vSwitch port groups for virtual networks. Each interface should be connected to a vSwitch that mirrors a different subnet within your network.
Use this page to verify that USM Anywhere can monitor your network traffic for security events.
Note: You can see red X icons next to the interfaces if the port mirroring or promiscuous mode is not configured. You might also see these icons if the network interfaces have not seen any traffic in the past 30 seconds.
To access detailed information about virtual private cloud (VPC) traffic mirroring
- Click How do I set up VPC traffic mirroring?
This opens a dialog box.
If you have not yet set up VPC traffic mirroring, see VPC Traffic Mirroring with an AWS Sensor for more information.
Click Next.
AWS Log CollectionUSM Anywhere automatically discovers several of out-of-box logs as long as you have enabled them within your Amazon Web Services (AWS) subscription. See AWS Log Discovery and Collection in USM Anywhere for more information about these logs and how they function within the AWS environment.
To enable the Amazon Simple Storage Service (S3) and Amazon CloudWatch out-of-box log collection jobs
- Locate the jobs you want to enable and click the icon.
This turns the icon green ().
Note: You can also enable AWS CloudTrail logs, Amazon Elastic Load Balancing (ELB) access logs, and other security logs. However, make sure you've enabled these first on your AWS account.
Log ManagementOn the Log Management page are syslog port numbers. (These ports are the same for all USM Anywhere Sensors.)
USM Anywhere collects third-party device, system, and application data through syslog over UDP on port 514 and over TCP on ports 601 or 602 by default. It collects Transport Layer Security (TLS)-encrypted data through TCP on ports 6514 or 6515 by default. These ports support the RFC 3164 and RFC 5424 formats. To configure any third-party devices to send data to USM Anywhere, you must provide the IP address and the port number of your USM Anywhere Sensor.
To enable log collection and configure your log management
- Make sure that you have granted the necessary permissions for your OS to allow USM Anywhere to access its logs. You can also integrate a wide variety of data sources to send log data over syslog to the USM Anywhere Sensor.
To learn how to configure your operating systems and supported third-party devices to forward syslog log data, see the following related topics:
- The Syslog Server Sensor App: Log collection (UDP, TCP, and TLS-encrypted TCP) from rsyslog
- Collecting Linux System Logs: Log collection from a Linux system
- Collecting Windows System Logs: Log collection from a Windows system
- Go to the specific AlienApp in USM Anywhere for instructions about syslog forwarding
Note: Because the log scan can take some time, you might not see all of the automatically discovered log sources immediately after deploying the first USM Anywhere Sensor.
- When you have finished the log collection setup and integrated any needed plugins, verify that the data transfer is occurring.
- Click Next when this step is complete.
OTXAT&T Alien Labs™ Open Threat Exchange® (OTX™) is an open information-sharing and analysis network providing users with the ability to collaborate, research, and receive alerts on emerging threats and indicators of compromise (IoCs) such as IP addresses, file hashes, and domains.
You must have an OTX account to receive alerts based on threats identified in OTX. This account is separate from your USM Anywhere account. Go to The World’s First Truly Open Threat Intelligence Community to create an OTX account.
Note: If you do not already have an OTX account, click the Sign up link. This opens another browser tab or window that displays the OTX signup page. After you confirm your email address, you can log in to OTX and retrieve the unique API key for your account.
See Open Threat Exchange® and USM Anywhere for more information about OTX integration in USM Anywhere.
To enable USM Anywhere to evaluate event data against the latest OTX intelligence
Log in to OTX and open the API page (https://otx.alienvault.com/api).
In the DirectConnect API Usage pane, click the icon to copy your unique OTX connection key.
Return to the Open Threat Exchange (OTX) page of the USM Anywhere Sensor Setup Wizard and paste the value in the OTX Key text box.
Click Validate OTX Subscription Key.
With a successful validation of the key, the status at the top of the page changes to "Valid OTX key".
- Click Next when this task is complete.
Setup CompleteThe Congratulations page summarizes the status of your configuration.
Click Start Using USM Anywhere, which takes you to the Overview dashboard.