USM Anywhere™

Azure Sensor Deployment

The USM Anywhere Sensor provides operational visibility into the security of your Azure environment. Based on the collected log information, USM Anywhere analyzes the data generated by your Azure environment and provides real-time alerting to identify malicious activity. The Azure Sensor is deployed into your environment to provide ultimate control over the installation and the data contained within it, and also to avoid any external access to the environment.

All USM Anywhere Sensors allow for authenticated scans of assetsAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. by leveraging stored credentials that you define in USM Anywhere. This enables USM Anywhere to detect potential vulnerabilities, installed software packages, and running processes and services.

In addition to these standard sensor functions, the Azure Sensor also provides capabilities that leverage the Azure environment:

Log Collection and Scans

USM Anywhere automatically discovers your use of the following logs without requiring enablement on the Azure subscription side, as long as the Azure resource subscription has contributor-level permissions:

  • Azure REST Monitor (formerly Azure Insight) logs
  • Azure Security Alerts
  • Azure Web App logs
  • Azure SQL Server logs

    Note: USM Anywhere collects SQL Server logs stored as tables only. It does not collect SQL Server logs stored as Binary Large OBjects (BLOB)s.

    Microsoft Azure has recently deprecated table storage and recommends that users select the BLOB storage option. However, you must use the Azure Tables storage option for your SQL Server logs to make them available for collection by the USM Anywhere Sensor.

  • Azure IIS logs
  • Azure Windows logs
  • Asset scans on your VMs to inventory installed software packages, running processes, and services

Log Analysis

USM Anywhere analyzes these logs in these stages:

  1. Collects logs from systems and software running in your environment
  2. Configures log line processing and generates events

    • Includes IP addresses and timestamps culled from extracted log line data
    • Adds other data to the event, such as security context and environmental information
  3. Analyzes events and stores them

USM Anywhere collects log data, processes the data, and produces normalized events

Deployment Overview

AT&T Cybersecurity distributes the Azure Sensor through the Azure Marketplace as a D2 Standard or DS2 Premium VM template.

Note: If your organization uses multiple subnets to allow communication between headquarters and remote offices, we recommend that you deploy a sensor to each. Alternatively, you can deploy a USM Anywhere Sensor in a single virtual network. When you deploy a sensor to a single virtual network in your Azure subscription, you'll see Azure logs for the entire subscription.

The deployment process for an initial USM Anywhere Sensor in your Azure environment consists of these primary tasks:

  1. Review requirements for an Azure Sensor deployment
  2. Deploy the USM Anywhere Sensor within your Azure environment
  3. Register the deployed sensor with your sensor authentication code to provision the USM Anywhere instance and connect the deployed sensor
  4. (Optional) Manually create a new application and credentials in the Azure console
  5. Complete your Azure Sensor configuration, including initial asset discovery

Related Video Content

To view other related training videos, click here.