Requirements for Azure Sensor Deployment
To ensure that you can successfully deploy USM Anywhere in your Microsoft Azure subscription and monitor all of your Azure resources, make sure you have the following available in your Azure environment:
Note: You can deploy a single USM Anywhere Sensor to monitor all of your Azure resource groups. To do this, you must assign the application you create to the entire subscription.
Administrative access to Active Directory (AD) within Azure.
This AD access enables you to create an application required to install resource groups or a subscription for monitoring.
A virtual network inside the resource group.
A subnet inside the virtual network.
A storage account.
Important: USM Anywhere does not support Azure Classic accounts.
Important: Because the needs of a sensor differ based on the varying demands of different deployment environments and the complexity of events being processed, the number of events per second (EPS) throughput a sensor can process varies.
Depending on your environment, you may need to deploy additional sensors to ensure that all events are processed.
Warning: Be sure not to install any application outside of those already provided within your image where you are deploying your Azure Sensor.
You may want to check your system for automatically installed applications, such as OMIAgent, which must be uninstalled. Left uninstalled, such applications may make your environment or your sensor unstable.
Sensor Ports and Connectivity
Note: To launch the USM Anywhere Sensor web UI during the initial setup, you need to allow inbound traffic to the sensor IP address through TCP port 80. You can remove access to this port after the sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to this port from the Internet.
The following tables list the inbound and outbound ports.
Sensor Ports and Connectivity (Outbound Ports)| TCP | 443 | update.alienvault.cloud | Communication with AT&T Cybersecurity for initial setup and future updates of the sensor. |
| TCP | 443 | reputation.alienvault.com | Ongoing communication with AT&T Alien Labs™ Open Threat Exchange® (OTX™). |
| TCP | 443 | otx.alienvault.com | Ongoing communication with OTX to retrieve vulnerability scores. Connecting to otx.alienvault.com is not required but highly recommended. OTX uses the AWS Cloudfront services. Refer to the AWS IP address ranges page when you deploy a new sensor. This page contains the current IP address ranges for the service and instructions on how to filter the addresses. |
| TCP | 443 | Your USM Anywhere subdomain
.alienvault.cloud Your USM Anywhere subdomain
.gov.alienvault.us (for AT&T TDR for Gov)
| Ongoing communication with USM Anywhere. |
| SSL/TCP | 7100 | Your USM Anywhere subdomain
.alienvault.cloud Your USM Anywhere subdomain
.gov.alienvault.us (for AT&T TDR for Gov) | Ongoing communication with USM Anywhere. |
| UDP | 53 | DNS Servers (Google Default) | Ongoing communication with USM Anywhere. |
| UDP | 123 | 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org | Sync with network time protocol (NTP) services in the Azure Cloud. |
| TCP | 22 and 443 | prod-usm-saas-tractorbeam.alienvault.cloud prod-gov-usm-saas-tractorbeam.gov.alienvault.us (for AT&T TDR for Gov) |
SSH communications with the USM Anywhere remote support server.
See Troubleshooting and Remote Sensor Support for more information about remote technical support through the USM Anywhere Sensor console.
|
|
| TCP | 443 | <event-hub-namespace>.servicebus.windows.net | (Optional.) Connect to Microsoft Azure Event Hubs for log collection. Replace <event-hub-namespace> with the name of your Event Hubs namespace. If your environment includes additional services such as AMQP or Kafka, you may need to make additional ports available. See Microsoft's Troubleshooting Guide for detailed information about these potential additional port requirements.
|
| TCP | 443 | geoip-us-west-2-prod.alienvault.cloud
geoip-us-east-1-prod.alienvault.cloud
geoip-sa-east-1-prod.alienvault.cloud
geoip-eu-west-1-prod.alienvault.cloud
geoip-eu-west-2-prod.alienvault.cloud
geoip-eu-central-1-prod.alienvault.cloud
geoip-ca-central-1-prod.alienvault.cloud
geoip-ap-southeast-2-prod.alienvault.cloud
geoip-ap-northeast-1-prod.alienvault.cloud | Allows resolution of IP addresses for geolocation services. It is only necessary to whitelist the GeoIP address that corresponds to the region where your USMA instance is hosted. |
Sensor Ports and Connectivity (Inbound Ports)| SSH | 22 | Inbound method for secure remote login from a computer to USM Anywhere. |
| HTTP | 80 | Inbound communication for HTTP traffic. |
| UDP (RFC 3164) | 514 | USM Anywhere collects data through syslog over UDP on port 514 by default. |
| TCP (RFC 3164) | 601 | Inbound communication for reliable syslog service. USM Anywhere collects data through syslog over TCP on port 601 by default. |
| TCP (RFC 5424) | 602 | USM Anywhere collects data through syslog over TCP on port 602 by default. |
| Traffic Mirroring | 4789 | Inbound communication for virtual extensible local area network (VXLAN). |
| WSMANS | 5987 | Inbound WBEM WS-Management HTTP over Secure Sockets Layer/Transport Layer Security (SSL/TLS) (NXLog). |
| TLS/TCP (RFC 3164) | 6514 | USM Anywhere collects TLS-encrypted data through syslog over TCP on port 6514 by default. |
| TLS (RFC 5424) | 6515 | USM Anywhere collects data through syslog over TLS on port 6515 by default. |
| Graylog | 12201 | Inbound communication for Graylog Extended Log Format (GELF).
|
USM Anywhere IP Addresses for Whitelisting
Your sensor is connected to a USM Anywhere instance deployed in one of the Amazon Web Services (AWS) endpoint regions based on your location. If you need to configure your firewall to allow communication between the sensor and the USM Anywhere instance, refer to the following table with the reserved IP address ranges for each region.
Important: The Update Server and the AlienVault Agent always use the 3.235.189.112/28 range no matter where your USM Anywhere is deployed. The AT&T TDR for Gov Update Server uses the 3.32.190.224/28 range.
The regional IP ranges listed in this table are limited to the Control Nodes (subdomain). You must also meet all requirements provided in the Sensor Ports and Connectivity (Outbound Ports) table.
AWS Regions Where USM Anywhere Instance Is Available| ap-northeast-1 | Asia Pacific (Tokyo) | 18.177.156.144/28 3.235.189.112/28 44.210.246.48/28 |
| ap-south-1 | Asia Pacific (Mumbai) | 3.7.161.32/28 3.235.189.112/28 44.210.246.48/28 |
| ap-southeast-2 | Asia Pacific (Sydney) | 3.25.47.48/28 3.235.189.112/28 44.210.246.48/28 |
| ca-central-1 | Canada (Central) | 3.96.2.80/28 3.235.189.112/28 44.210.246.48/28 |
| eu-central-1 | Europe (Frankfurt) | 18.156.18.32/28 3.235.189.112/28 44.210.246.48/28 |
| eu-west-1 | Europe (Ireland) | 3.250.207.0/28 3.235.189.112/28 44.210.246.48/28 |
| eu-west-2 | Europe (London) | 18.130.91.160/28 3.235.189.112/28 44.210.246.48/28 |
| sa-east-1 | South America (São Paulo) | 18.230.160.128/28 3.235.189.112/28 44.210.246.48/28 |
| us-east-1 | US East (N. Virginia) | 3.235.189.112/28 44.210.246.48/28 |
| us-west-2 | US West (Oregon) | 44.234.73.192/28 3.235.189.112/28 44.210.246.48/28 |
| us-gov-west-1 | AWS GovCloud (US-West) | 3.32.190.224/28
|
Azure Portal URLs for Proxy Bypass
The URL endpoints to whitelist on your Azure portal are specific to the Azure cloud where your environment is deployed. To allow network traffic to reach these endpoints, select your cloud environment, and then add the following list of URLs to your proxy server or firewall.
*.aadcdn.microsoftonline-p.com
*.aka.ms
*.applicationinsights.io
*.azure.com
*.azure.net
*.azureafd.net
*.azure-api.net
*.azuredatalakestore.net
*.azureedge.net
*.loganalytics.io
*.microsoft.com
*.microsoftonline.com
*.microsoftonline-p.com
*.msauth.net
*.msftauth.net
*.trafficmanager.net
*.usgovcloudapi.net (AT&T TDR for Gov only)
*.visualstudio.com
*.windows.net
*.windows-int.net
Deploy the USM Anywhere Sensor from the Azure Marketplace
After you review the requirements and make sure that your Microsoft Azure environment is configured as needed, you can deploy the USM Anywhere Sensor for Azure. AT&T Cybersecurity provides the virtual machine (VM) template for the sensor and makes it available through the Microsoft Azure Marketplace for easy deployment.
Note: Azure limits the availability of the Azure Marketplace to customers according to country. On the Marketplace FAQs page, the "Azure Marketplace for Customers" section provides a current list of supported countries.
To deploy a USM Anywhere Sensor from the Azure Marketplace
1. Go to the USM Anywhere Sensor Downloads page and
click the 
icon of your specific sensor. If you are not already logged in to the Azure console, this link launches the Microsoft Azure Login page. Provide your Azure account credentials (username and password) and click Sign in.
On the page, review the details of the license and click Create.
This takes you to the Create a virtual machine page, which guides you through the steps for deploying the USM Anywhere Sensor VM.
On the Basics tab, specify the required fields for the VM:
Important: AT&T Cybersecurity recommends using sysadmin as the username. If you use a different name, you will need to "sudo up" to access the sensor console. See Checking Connectivity to the Remote Server for more information.
- Click Next : Disks.
- On the Disks tab, select Standard SSD as the disk type.
- Click Next : Networking.
On the Networking tab, select the virtual network or subnet upon which the USM Anywhere Sensor VM should be installed. Keep the other defaults.
Important: Make sure you install the USM Anywhere Sensor in the network that has sufficient connectivity to the assets that you want to monitor.
- Click Review + create to keep the defaults on the remaining tabs.
- On the Review + create tab, review your specifications and the cost summary.
Click Create.
This starts the deployment of the USM Anywhere Sensor, which can take up to six minutes.
After deployment finishes, click Go to resource or go to the overview page of the VM and locate its public IP address.
Paste the IP address into your browser to launch the USM Anywhere Sensor Setup page.
Important: This link requires that inbound port 80 is open for the sensor VM, which is not a default network setting on Azure. See Sensor Ports and Connectivity for more information.
Create an Application and Obtain Azure Credentials
To enable USM Anywhere to monitor your Microsoft Azure subscription, you must create an application that grants permission to USM Anywhere to fetch data using the Azure software development kit (SDK) and Azure Representational State Transfer (REST) API. USM Anywhere requires the following credentials:
Required Azure Credentials| azure_tenant_id | Azure Tenant ID |
| azure_subscription_id | Azure Subscription ID |
| azure_application_id | Azure Application ID |
| azure_application_key | Azure Application Key |
The following instructions focus on the requirements for
USM Anywhere. See
Microsoft documentation for detailed steps and descriptions to register an application using the Azure portal, including a video demonstration.
Important: You must have global administrator privileges to create an application and obtain credentials.
Obtain the Azure Subscription ID
The subscription identifier (ID) is required when you complete the Azure Credentials step of the sensor setup in USM Anywhere.
To get the Azure subscription ID
From the Azure Dashboard, select your subscription.
From the Subscription page, copy your subscription ID and save it somewhere that you can access later.
Create the Application in Azure
To allow USM Anywhere to access Azure resources, you must first set up an Azure application and complete the Azure standard procedure for adding a new application registration. Then you can create a client secret for Azure AD.
To create the application in Azure
Log in to the Azure portal (https://portal.azure.com).
- Go to Azure Active Directory > App registrations > New registration.
- Enter a name for the application.
- In Supported account types, select Accounts in any organizational directory (Any Azure AD directory - Multitenant).
- Click Register.
After the application is created, you can locate the application(client) ID, directory (tenant) ID, and object ID needed to complete the Azure Credentials step of the sensor setup in USM Anywhere.
Go to Certificates & secrets and click New client secret.
Enter a description for the secret and select a duration.
Click Add.
The value displayed in the Azure portal is the Azure Application Key used by USM Anywhere.
Important: Copy this value and save it because you won't be able to copy the key later.
Grant API Permissions
To let your application collect user information in your Azure environment, you need to grant Microsoft Graph API permissions.
To grant API permissions
- Log in to the Azure portal (https://portal.azure.com) and select your application.
Go to API Permissions and click Add a permission.
Select Microsoft Graph.
Select Application permissions and then User.Read.All. Use the search function to help locate the permissions.
Click Add Permissions.
These permissions require admin approval, so make sure to click Grant admin consent for.
Associate the Application with the Entire Subscription
If you want to use USM Anywhere to monitor all of your Azure resources, you should associate it with your Azure subscription as a whole.
To associate the application with the entire subscription
- Log in to the Azure portal (https://portal.azure.com).
- Go to More Services > Subscriptions, locate the subscription, and select it.
Select Access control (IAM) in the navigation list.
This displays the roles and permissions for the subscription.
At the top of the page, click Add.
Select the Reader role (recommended).
This role allows assigned users to fetch new Azure logs.
Warning: You must select the Contributor role if you want to collect Microsoft Internet Information Services (IIS), Azure SQL Server, or Windows logs.
- Select the application you created previously to assign the role to the subscription.
Click Save and OK.
Connect the Azure Sensor to USM Anywhere
After deploying the Microsoft Azure Sensor, you must connect it to USM Anywhere through registration.
Obtain the Authentication Code
You must enter an authentication code when registering the USM Anywhere Sensor. How to obtain the authentication code depends on your USM Anywhere instance and whether this is the first sensor you're deploying.
OpenInstructions for USM Anywhere customers:
If this is your first USM Anywhere Sensor, you must register the sensor using the initial authentication code (starts with a "C") received from AT&T Cybersecurity. With this code, the registration process provisions a new USM Anywhere instance and defines its attributes, such as how many sensors to allow for connection, how much storage to provide, and what email address to use for the initial user account. After registration, you will gain access to the sensor through the USM Anywhere web user interface (UI), where you can complete the sensor setup.
If you are deploying additional sensors, you must generate the authentication code (starts with an "S") for the registration. See Adding a New Sensor for more information.
OpenInstructions for AT&T TDR for Gov customers:
AT&T Cybersecurity has already provisioned the AT&T Threat Detection and Response for Government (AT&T TDR for Gov) instance for you, therefore you won't receive an authentication code for your sensor. This is true regardless if it's the first sensor or additional sensors you're deploying. However, for the first sensor, you'll receive a link to access your instance.
For every sensor you deploy, you must generate an authentication code (starts with an "S") for the registration. See Adding a New Sensor for more information.
Register Your Sensor
You perform this procedure after deploying the USM Anywhere Sensor within your Azure subscription. The IP address link is displayed after you create the virtual machine (VM) and the instance is running in your Azure environment.
To register your sensor
Click the public IP address displayed for the running sensor VM in the Azure console.
Important: This link requires that inbound port 80 is open for the sensor VM, which is not a default network setting on Azure. See Sensor Ports and Connectivity for more information.
This opens the Welcome to USM Anywhere Sensor Setup page, which prompts you to provide the information for registering the sensor with your new USM Anywhere instance.
- Enter a sensor name and sensor description.
- Paste the authentication code into the field with the key icon (
). Click Start Setup to start the process of connecting the USM Anywhere Sensor.
It takes about 20 minutes to provision your USM Anywhere instance upon registration of your initial sensor. When this instance is provisioned and running, you’ll see a welcome message that provides an access link.
Use this link to open the secured web console for your USM Anywhere instance. You and the other USM Anywhere users in your organization can access this console from a web browser on any system with internet connectivity.
Note: If this is your first deployment, you'll also receive an email from AT&T Cybersecurity that provides the access link to USM Anywhere.
When you link to a newly provisioned USM Anywhere instance, you must configure the password for the initial user account. This is the default administrator as defined in your subscription.
To configure login credentials
In the welcome message, click the link.
This displays a prompt to set the password to use for the default administrator of USM Anywhere.
Enter the password, and then enter it again to confirm.
Keep in mind these points when you are logging in:
- The login credentials that you set will apply to any USM Anywhere™ and USM Central™ you have access to.
- USM Anywhere requires all passwords to have a minimum length of 8 characters and a maximum length of 128 characters.
- The password must contain numerical digits (0-9).
- The password must contain uppercase letters (A-Z).
- The password must contain lowercase letters (a-z).
- The password must contain special characters, such as hyphen (-) and underscore ( _ ).
Note: USM Anywhere passwords expire after 90 days. When your password expires, USM Anywhere enforces a password change when you next log in. A new password must be different from the previous four passwords.After 45 days of inactivity, your user account will be locked. Manager users can unlock inactive accounts.
- Click Save & Continue.
When the login page opens, enter the password you just set and click Login.
Verify That Your Sensor Is Running
It's a good idea to verify that the USM Anywhere Sensor is running. It also gives you the chance to watch the sensor actively working to find all of your and to record events from the start.
Note: Verify that the sensor is running before performing the configuration. You can keep one web browser tab with the Welcome to USM Anywhere page in the background while you perform the verification on a different tab.
To verify that your new sensor is running
In USM Anywhere, go to Data Sources > Sensors.
You should now see your sensor in the page. See USM Anywhere Sensor Management for more information.
After a few minutes, USM Anywhere locates your assets and starts generating events.
You can review the activity in two locations:
- From the primary task bar, select Environment > Assets.
- From the primary task bar, select Activity > Events.
Note: It could take up to six minutes before events appear. Make sure to refresh your browser from time to time to display the current data.
See Asset List View for more information about the Assets pages. See Events List View for more information about the Events pages.
The Azure SQL Server job is deprecated. Use the Event Hub Integration to collect Azure SQL Server logs. See Collect Logs from Azure Event Hubs for more information.
Complete the Azure Sensor Setup
After you initialize a new USM Anywhere Sensor, you must configure it in the Setup Wizard. As you configure the sensor, you can enable USM Anywhere to perform specific actions through scheduled jobs, such as running an asset discovery scan or collecting security events from a predefined cloud storage location.
Accessing the Setup Wizard
The Setup Wizard is accessible under the following circumstances:
After you first log in to the USM Anywhere web user interface (UI) and see the Welcome to USM Anywhere page, click Get Started to launch the Setup Wizard.
If you have already registered one USM Anywhere Sensor but did not complete the setup before logging out, the USM Anywhere Sensor Configuration page launches automatically at your next login to remind you to finalize configuration of the sensor. From that page, you click Configure to launch the Setup Wizard and complete the sensor configuration.
If you registered an additional USM Anywhere Sensor, but did not complete the setup, the Sensors page displays an error (
) in the Configured column. See Sensors Page Overview
for more information. Go to Data Sources > Sensors, and then click the sensor name to complete the sensor configuration. See USM Anywhere Sensor Management for more information.
Configuring the Azure Sensor in the Setup Wizard
The first time you log in from the Welcome to USM Anywhere web page, the Setup Wizard prompts you to complete the configuration of the first deployed sensor. Thereafter, you can use the Sensors page to configure an additional sensor or to change the configuration options for a deployed sensor. See Sensors Page Overview for more information.
Azure Credentials
To complete the Microsoft Azure Sensor configuration, you must obtain Azure API credentials for the subscription that you want USM Anywhere to monitor. Select the option on the Azure Credentials page that matches your current Azure credential creation status:
If you already generated your Azure credentials, click Yes, I have my Azure credentials and am ready to enter them.
If you don't yet have your Azure credentials, click No, I don't have my Azure credentials and need to create them.
If you're not sure, click I am not sure. Show me how to create my Azure credentials.
If you select No or I am not sure, the page provides options for two creation methods:
If you select Yes, follow the steps in Configuring the Azure Credentials After Manual Credential Generation.
Generating the Azure Credentials for Windows Users
To generate Azure Credentials for Microsoft Windows users
This procedure is for Windows users who want to use the provided Power Shell script to automatically generate their credentials for sensor configuration:
Select Create credentials automatically using a Power Shell script (Recommended).
The page automatically launches a download of the Power Shell script. You can use the browser tools to save the file to the appropriate location on your system.
Run the Power Shell script as administrator on your Windows operating system (OS) from the command-line interface (CLI) shell prompt.
Important: You won't be able to answer the prompts from the script if you use Windows PowerShell Integrated Scripting Environment (ISE) to run the script.
Note: If you have multiple Azure subscriptions, the script prompts you to identify which one you want USM Anywhere to monitor.
When the script finishes, it creates a text file that saves to your desktop.
In USM Anywhere, drop the Azure credentials text file onto the displayed page or click the select USM_Anywhere_Azure_Credentials.txt from your desktop link to locate, select, and upload the file.
Verify that the status at the top of the page displays the following message:
Valid Credentials
Creating the Azure Credentials Manually
To create the Azure credentials manually
Select Learn how to create Azure credentials manually.
This opens the Create an Application and Obtain Azure Credentials page in a new browser tab or window.
- Follow the instructions for creating the needed credentials.
- Return to USM Anywhere, then click the Back button to display the first Azure Credentials page.
Configuring the Azure Credentials After Manual Credential Generation
To configure the Azure credentials after they were generated manually
Note: This procedure is for non-Windows users who generated their Azure credentials manually and who are ready to configure the sensor.
- Select the Yes option, and in the next page click the Enter previously created Azure credentials manually link at the bottom of the page.
Enter the Azure API credentials you generated in the Azure console into the appropriate fields.
- Click Save Credentials.
Verify that the status at the top of the page displays the following message:
Valid Credentials
When the credentials are configured, click Next. The wizard displays the next page in the setup process, Azure Configuration.
Azure Configuration
After you've successfully configured the Azure credentials, the Azure Configuration page opens. This page summarizes the number of Azure virtual machines (VMs), resource groups, and VM sizes in your environment.
Important: If you are using VM scale sets to provide redundancy and load balancing in your Azure environment, the Azure Sensor does not automatically discover the scale set hosts through network scans. It does collect syslog from these hosts, but you must manually add the VMs to the USM Anywhere asset inventory.
See the Azure documentation for more information about virtual machine scale sets. See Adding Assets in the UI for detailed information about adding these VMs to the asset inventory.
Click Next.
The wizard displays the next page in the setup process, Azure Log Collection.
Azure Log Collection
The Azure Log Collection page displays the following Azure logs that are automatically discovered by USM Anywhere in your environment:
Important: The Azure SQL Server job is deprecated. Use the Event Hub Integration to collect Azure SQL Server logs. See Collect Logs from Azure Event Hubs for more information.
See Azure Log Discovery and Collection in USM Anywhere for more information about Azure log discovery and collection.
To enable these out-of-box Azure log collection jobs, toggle the gray Enable icon so that it turns green. When you enable any of these log collection jobs, USM Anywhere starts collecting the log data immediately according to the preconfigured frequency. See Create a New Azure Log Collection Job if you want to add other Azure log collection jobs after the sensor configuration, including jobs for Azure Web Apps.
Note: If you go to Activity > Events in USM Anywhere post-configuration, you can see all of the events associated with each log type, including its Event ID and many other useful details. You can also review related log collection jobs in the Job Scheduler page (Settings > Scheduler). See Events List View and USM Anywhere Scheduler for more information.
After you enable each job that you want, click Next.
The wizard displays the next page in the setup process, Active Directory.
Active Directory
The optional Active Directory (AD) setup page configures USM Anywhere to collect information from your AD account. To monitor Microsoft Windows systems effectively, USM Anywhere needs access to the AD server to collect inventory information.
Note: This configuration is only for one AD server. If you want to scan different AD servers, you must create an AD scan job for each of them. See Scheduling Active Directory Scans from the Job Scheduler Page for more information.
AT&T Cybersecurity recommends that you create a dedicated AD account with membership in the Domain Admins group to be used by USM Anywhere to log in to the Windows systems. You also need to activate Microsoft Windows Remote Management (WinRM) in the domain controller and in all the hosts that you want to scan. You can do this by using a group policy for all the systems in your AD.
Important: Before this feature is fully functional, you must configure access to the USM Anywhere Sensor on the AD server. See Granting Access to Active Directory for USM Anywhere for more information.
To complete the AD access configuration
Provide the AD credentials for USM Anywhere:
Active Directory IP Address: Enter the IP address for the AD server.
Username: Enter your username as admin of the account.
Password: Enter your admin's password.
Domain: Enter the domain for the AD instance.
Click Scan Active Directory.
After a successful launch of the scan, a confirmation dialog box opens.
Click Accept.
The scan continues in the background.
Upon completion, another dialog box opens and provides information about the number of assets USM Anywhere discovered. It also prompts you to decide if you want to scan for hosts and services running in your environment.
Click Cancel to opt out of this scan.
(Optional.) If you want to scan for other hosts and services, click OK.
Click Next after the scan ends.
The wizard opens the next page in the setup process, Log Management.
Log Management
On the Log Management page are syslog port numbers. (These ports are the same for all USM Anywhere Sensors.)
USM Anywhere collects third-party device, system, and application data through syslog over UDP on port 514 and over TCP on ports 601 or 602 by default. It collects Transport Layer Security (TLS)-encrypted data through TCP on ports 6514 or 6515 by default. These ports support the RFC 3164 and RFC 5424 formats. To configure any third-party devices to send data to USM Anywhere, you must provide the IP address and the port number of your USM Anywhere Sensor.
To enable log collection and configure your log management
- Make sure that you have granted the necessary permissions for your OS to allow USM Anywhere to access its logs. You can also integrate a wide variety of data sources to send log data over syslog to the USM Anywhere Sensor.
To learn how to configure your operating systems and supported third-party devices to forward syslog log data, see the following related topics:
The Syslog Server Sensor App: Log collection (UDP, TCP, and TLS-encrypted TCP) from rsyslog
Collecting Linux System Logs: Log collection from a Linux system
Collecting Windows System Logs: Log collection from a Windows system
Go to the specific AlienApp in USM Anywhere for instructions about syslog forwarding
Note: Because the log scan can take some time, you might not see all of the automatically discovered log sources immediately after deploying the first USM Anywhere Sensor.
- When you have finished the log collection setup and integrated any needed plugins, verify that the data transfer is occurring.
- Click Next when this step is complete.
OTX
AT&T Alien Labs™ Open Threat Exchange® (OTX™) is an open information-sharing and analysis network providing users with the ability to collaborate, research, and receive alerts on emerging threats and indicators of compromise (IoCs) such as IP addresses, file hashes, and domains.
You must have an OTX account to receive alerts based on threats identified in OTX. This account is separate from your USM Anywhere account. Go to The World’s First Truly Open Threat Intelligence Community to create an OTX account.
Note: If you do not already have an OTX account, click the Sign up link. This opens another browser tab or window that displays the OTX signup page. After you confirm your email address, you can log in to OTX and retrieve the unique API key for your account.
See Open Threat Exchange® and USM Anywhere for more information about OTX integration in USM Anywhere.
To enable USM Anywhere to evaluate event data against the latest OTX intelligence
- Log in to OTX and open the API page (https://otx.alienvault.com/api).
In the DirectConnect API Usage pane, click the 
icon to copy your unique OTX connection key.
Return to the Open Threat Exchange (OTX) page of the USM Anywhere Sensor Setup Wizard and paste the value in the OTX Key text box.
Click Validate OTX Subscription Key.
With a successful validation of the key, the status at the top of the page changes to "Valid OTX key".
- Click Next when this task is complete.
Setup Complete
The Congratulations page summarizes the status of your configuration.
Click Start Using USM Anywhere, which takes you to the Overview dashboard.
