The USM Anywhere Sensor provides operational visibility into the security of your Microsoft Azure environment. Based on the collected log information, USM Anywhere analyzes the data generated by your Azure environment and provides real-time alerting to identify malicious activity. The Azure Sensor is deployed into your environment to provide ultimate control over the installation and the data contained within it, and also to avoid any external access to the environment.
All USM Anywhere Sensors allow for authenticated scans of assets An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. by leveraging stored credentials that you define in USM Anywhere. This enables USM Anywhere to detect potential vulnerabilities, installed software packages, and running processes and services.
In addition to these standard sensor functions, the Azure Sensor also provides capabilities that leverage the Azure environment:
- Automatic discovery of virtual machines (VMs) running in your Microsoft Azure environment
- Optional monitoring of Azure logs
- Integration with Collect Logs from Azure Event Hubs
Log Collection and Scans
USM Anywhere automatically discovers your use of the following logs without requiring enablement on the Azure subscription side, as long as the Azure resource subscription has contributor-level permissions:
- Azure Representational State Transfer (REST) Monitor (formerly Azure Insight) logs
- Azure security alerts
- Azure web apps logs
-
Azure SQL Server logs
Note: The Azure SQL Server job is deprecated. Use the Event Hub Integration to collect Azure SQL Server logs. See Collect Logs from Azure Event Hubs for more information.
- Azure Internet Information Services (IIS) logs
- Azure Windows logs
- Asset scans on your VMs to inventory installed software packages, running processes, and services
Log Analysis
USM Anywhere analyzes these logs in these stages:
Stage 1: Collects logs from systems and software running in your environment
Stage 2: Configures log line processing and generates events
- Includes IP addresses and timestamps culled from extracted log-line data
- Adds other data to the event, such as security context and environmental information
Stage 3: Analyzes events and stores them
Deployment Overview
LevelBlue distributes the Azure Sensor through the Azure Marketplace as a D2 Standard or DS2 Premium VM template.
Note: If your organization uses multiple subnets to allow communication between headquarters and remote offices, LevelBlue recommends that you deploy a sensor to each. Alternatively, you can deploy a USM Anywhere Sensor in a single virtual network. When you deploy a sensor to a single virtual network in your Azure subscription, you'll see Azure logs for the entire subscription.
The deployment process for an initial USM Anywhere Sensor in your Azure environment consists of these primary tasks:
- Review requirements for an Azure Sensor deployment
- Deploy the USM Anywhere Sensor within your Azure environment
- Register the deployed sensor with your sensor authentication code to provision the USM Anywhere instance and connect the deployed sensor
- (Optional.) Manually create a new application and credentials in the Azure console
- Complete your Azure Sensor configuration, including initial asset discovery