USM Anywhere deploys the Amazon Web Services (AWS) Sensor in the Amazon Elastic Compute Cloud (EC2) platform through the Amazon Virtual Private Cloud (VPC) and requires the following specifications:
-
An m5.large instance in an Amazon VPC.
-
A 100 GB Amazon EBS /data volume.
Note: A 100 GB Amazon EBS /data volume is designated as the default size for optimal performance. The Amazon Elastic Block Store (EBS) provides short-term storage for your data as it is processed.
-
Internet connection to the LevelBlue Secure Cloud. See Sensor Ports and Connectivity for more information.
-
Zonal SSD persistent disks.
Note: Persistent disk storage offers reliable network storage that your instances can access like physical disks. For optimal performance, 50 GB and 128 GB volumes are designated as the default size for the root and data partitions.
Important: Because the needs of a sensor differ based on the varying demands of different deployment environments and the complexity of events being processed, the number of events per second (EPS) a sensor can process varies.
Depending on your environment, you may need to deploy additional sensors to ensure that all events are processed.
AWS Sensor Deployment Regions
Important: The Update Server and the AlienVault Agent always use the 3.235.189.112/28 range no matter where your USM Anywhere is deployed. The LevelBlue TDR for Gov Update Server uses the 3.32.190.224/28 range.
| Code | Name |
|---|---|
| ap-northeast-1 | Asia Pacific (Tokyo) |
| ap-northeast-2 | Asia Pacific (Seoul) |
| ap-northeast-3 | Asia Pacific (Osaka) |
| ap-south-1 | Asia Pacific (Mumbai) |
| ap-southeast-1 | Asia Pacific (Singapore) |
| ap-southeast-2 | Asia Pacific (Sydney) |
| ca-central-1 | Canada (Central) |
| eu-central-1 | Europe (Frankfurt) |
| eu-north-1 | Europe (Stockholm) |
| eu-west-1 | Europe (Ireland) |
| eu-west-2 | Europe (London) |
| eu-west-3 | Europe (Paris) |
| me-central-1 | Middle East (UAE) |
| sa-east-1 | South America (São Paulo) |
| us-east-1 | US East (N. Virginia) |
| us-east-2 | US East (Ohio) |
| us-west-1 | US West (N. California) |
| us-west-2 | US West (Oregon) |
Note: Though your sensor is deployed to one region it will monitor all regions, pulling assets, logs, and other data regardless of region.
Application Service Dependencies
With the AWS CloudFormation Template provided by LevelBlue, you can automatically deploy USM Anywhere as a service into your environment. Review the following tables for information about the outbound and inbound IP addresses, ports, and services used by USM Anywhere.
Note: To launch the USM Anywhere Sensor web UI during the initial setup, you need to allow inbound traffic to the sensor IP address through TCP port 80. You can remove access to this port after the sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to this port from the Internet.
The following tables list the inbound and outbound ports.
| Type | Ports | Endpoints | Purpose |
|---|---|---|---|
| TCP | 443 | update.alienvault.cloud | Communication with LevelBlue for initial setup and future updates of the sensor. |
| TCP | 443 | reputation.alienvault.com | Ongoing communication with LevelBlue Labs™ Open Threat Exchange® (OTX™). |
| TCP | 443 | otx.alienvault.com |
Ongoing communication with OTX to retrieve vulnerability scores. Connecting to otx.alienvault.com is not required but highly recommended. OTX uses the AWS CloudFront services. Refer to the AWS IP address ranges page when you deploy a new sensor. This page contains the current IP address ranges for the service and instructions on how to filter the addresses. |
| TCP | 443 |
Your USM Anywhere subdomain Your USM Anywhere subdomain |
Ongoing communication with USM Anywhere. |
| SSL | 443 | storage-proxy.services.prod.alienvault.cloud | Ongoing communication with USM Anywhere in order to send and retrieve backups. |
| SSL | 443 | metrics-proxy.services.prod.alienvault.cloud | Ongoing communication with USM Anywhere in order to send metrics and messages. |
| SSL/TCP | 443 |
api-parameters-<REGION>-prod.alienvault.cloud1 api-message-proxy-<REGION>-prod.alienvault.cloud api.message-proxy.<REGION>.prod.alienvault.cloud |
Ongoing communication with USM Anywhere. It is only necessary to allowlist the address that corresponds to the region where your USM Anywhere instance is hosted. |
| SSL/TCP | 7100 |
Your USM Anywhere subdomain Your USM Anywhere subdomain |
Ongoing communication with USM Anywhere. |
| UDP | 53 | DNS Servers (Google Default) | Ongoing communication with USM Anywhere. |
| UDP | 123 |
169.254.169.123 |
Sync with network time protocol (NTP) services. |
| TCP | 22 and 443 |
prod-usm-saas-tractorbeam.alienvault.cloud prod-gov-usm-saas-tractorbeam.gov.alienvault.us (for LevelBlue TDR for Gov) |
SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). communications with the USM Anywhere remote support server. See Troubleshooting and Remote Sensor Support for more information about remote technical support through the USM Anywhere Sensor console. |
| TCP | 443 |
api.geoip-enrichment.ap-northeast-1.prod.alienvault.cloud/geo-ip/sensor api.geoip-enrichment.ap-south-1.prod.alienvault.cloud/geo-ip/sensor api.geoip-enrichment.ap-southeast-1.prod.alienvault.cloud/geo-ip/sensor api.geoip-enrichment.ap-southeast-2.prod.alienvault.cloud/geo-ip/sensor api.geoip-enrichment.ca-central-1.prod.alienvault.cloud/geo-ip/sensor api.geoip-enrichment.eu-central-1.prod.alienvault.cloud/geo-ip/sensor api.geoip-enrichment.eu-west-1.prod.alienvault.cloud/geo-ip/sensor api.geoip-enrichment.eu-west-2.prod.alienvault.cloud/geo-ip/sensor api.geoip-enrichment.me-central-1.prod.alienvault.cloud/geo-ip/sensor api.geoip-enrichment.sa-east-1.prod.alienvault.cloud/geo-ip/sensor api.geoip-enrichment.us-east-1.prod.alienvault.cloud/geo-ip/sensor api.geoip-enrichment.us-west-2.prod.alienvault.cloud/geo-ip/sensor
api.geoip-enrichment.us-gov-west-1.prod-gov.gov.alienvault.us/geo-ip/sensor (for LevelBlue TDR for Gov) |
Allows resolution of IP addresses for geolocation services. It is only necessary to allowlist the GeoIP address that corresponds to the region where your USMA instance is hosted. |
Important: A USM Anywhere Sensor deployed in AWS might require outbound access to specific AWS resources based on the sensor app in use. For example, the AWS Sensor app must have the ability to connect to the AWS API (port 443). However, the actual API endpoint might differ depending on the service (such as Amazon Simple Storage Service [S3] or Amazon CloudWatch).
USM Anywhere normally gives systems explicit access to the AWS API.
| Type | Ports | Purpose |
|---|---|---|
| SSH | 22 | Inbound method for secure remote login from a computer to USM Anywhere. |
| HTTP | 80 | Inbound communication for HTTP traffic. |
| UDP (RFC 3164) | 514 | USM Anywhere collects data through syslog over UDP on port 514 by default. |
| TCP (RFC 3164) | 601 | Inbound communication for reliable syslog service. USM Anywhere collects data through syslog over TCP on port 601 by default. |
| TCP (RFC 5424) | 602 | USM Anywhere collects data through syslog over TCP on port 602 by default. |
| Traffic Mirroring | 4789 | Inbound communication for virtual extensible local area network (VXLAN). |
| WSMANS | 5987 | Inbound WBEM WS-Management HTTP over Secure Sockets Layer/Transport Layer Security (SSL/TLS) (NXLog). |
| TLS/TCP (RFC 3164) | 6514 | USM Anywhere collects TLS-encrypted data through syslog over TCP on port 6514 by default. |
| TLS (RFC 5424) | 6515 | USM Anywhere collects data through syslog over TLS on port 6515 by default. |
| TCP | 9000 | Inbound communication used internally for HTTP sensor traffic. |
| Graylog | 12201 | Inbound communication for Graylog Extended Log Format (GELF). |
Security Groups in Your AWS VPC
For sensor deployment in an AWS VPC, the AWS CloudFormation template automatically creates the security groups needed for network connectivity between the instances within the VPC. However, this does require that you manually assign the USMServicesSG security group to your hosts to enable access to the UDP port 514 so that the sensor can receive syslog packet transmissions.
See Enable Connections in an AWS VPC for more detailed information about these security groups.
AWS Services
USM Anywhere uses the following AWS services:
- Amazon CloudWatch
- AWS CloudTrail
- AWS Elastic Load Balancing (ELB)
- Amazon Simple Storage Service (S3)
- Amazon EC2
- AWS Identity and Access Management (IAM)
- Amazon GuardDuty
- Amazon Relational Database Service (RDS)
See IAM Roles and Permissions Required by Your AWS Sensor for a full description of the IAM roles and permissions that your AWS Sensor requires for these AWS services.
Note: USM Anywhere uses us-east-1 as a default region in the amazon-aws app. As a result, you might want to verify whether your sensors are communicating with us-east-1, even if you have never deployed to that region.
USM Anywhere IP Addresses for Allowlisting
Important: The Update Server and the AlienVault Agent always use the 3.235.189.112/28 range no matter where your USM Anywhere is deployed. The LevelBlue TDR for Gov Update Server uses the 3.32.190.224/28 range.
Note: The regional IP ranges listed in this table are limited to the control nodes (subdomain). You must also meet all requirements provided in the Sensor Ports and Connectivity (Outbound Ports) table.
| Code | Name | Reserved Static IP Address Ranges |
|---|---|---|
| ap-northeast-1 | Asia Pacific (Tokyo) |
18.177.156.144/28 3.235.189.112/28 44.210.246.48/28 |
| ap-south-1 | Asia Pacific (Mumbai) |
3.7.161.32/28 3.235.189.112/28 44.210.246.48/28 |
| ap-southeast-1 | Asia Pacific (Singapore) |
18.143.203.80/28 3.235.189.112/28 44.210.246.48/28 |
| ap-southeast-2 | Asia Pacific (Sydney) |
3.25.47.48/28 3.235.189.112/28 44.210.246.48/28 |
| ca-central-1 | Canada (Central) |
3.96.2.80/28 3.235.189.112/28 44.210.246.48/28 |
| eu-central-1 | Europe (Frankfurt) |
18.156.18.32/28 3.235.189.112/28 44.210.246.48/28 |
| eu-west-1 | Europe (Ireland) |
3.250.207.0/28 3.235.189.112/28 44.210.246.48/28 |
| eu-west-2 | Europe (London) |
18.130.91.160/28 3.235.189.112/28 44.210.246.48/28 |
| me-central-1 | Middle East (UAE) |
3.29.147.0/28 3.235.189.112/28 44.210.246.48/28 |
| sa-east-1 | South America (São Paulo) |
18.230.160.128/28 3.235.189.112/28 44.210.246.48/28 |
| us-east-1 | US East (N. Virginia) |
3.235.189.112/28 44.210.246.48/28 |
| us-west-2 | US West (Oregon) |
44.234.73.192/28 3.235.189.112/28 44.210.246.48/28 |
| us-gov-west-1 | AWS GovCloud (US-West) |
3.32.190.224/28 |
Installation Prerequisites
Before you install the AWS Sensor, make sure you have the following prerequisites available.
| Prerequisites | Description |
|---|---|
| AWS CloudFormation template provided by LevelBlue |
The AWS CloudFormation template automatically creates all required AWS resources for deployment, including an IAM role and instance profile for use by the USM Anywhere Sensor instance. URLs for these templates are included in the Deploy the AWS Sensor instructions. |
| Privileged user account on AWS | To deploy the AWS CloudFormation template, you must have a privileged user account in AWS with permissions to create IAM resources. |
Multiple AWS Accounts or Amazon VPCs
If you have multiple AWS accounts, you must deploy the AWS Sensor in each AWS account that you want to monitor.
Amazon VPC enables you to launch AWS resources into a virtual network that you have defined. A single sensor can monitor an entire AWS account, even when it contains multiple Amazon VPCs.
Note: If you intend to use the USM Anywhere vulnerability A known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security. scanner with the AWS Sensor, you must allow traffic from the sensor and the target instance you are scanning. You can usually accomplish this by using Amazon VPC peering (see the AWS documentation for more information).
Feedback