Requirements for Azure Sensor Deployment

To ensure that you can successfully deploy USM Anywhere in your Microsoft Azure subscription and monitor all of your Azure resources, make sure you have the following available in your Azure environment:

  • An Azure account with privileges in the resource group or subscriptions that you want to install the USM Anywhere Sensor.

    Note: You can deploy a single USM Anywhere Sensor to monitor all of your Azure resource groups. To do this, you must assign the application you create to the entire subscription.

  • Administrative access to Active Directory Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. (AD) within Azure.

    This AD access enables you to create an application required to install resource groups or a subscription for monitoring.

  • A virtual network inside the resource group.
  • A subnet inside the virtual network.
  • A storage account.

Important: USM Anywhere does not support Azure Classic accounts.

Important: Because the needs of a sensor differ based on the varying demands of different deployment environments and the complexity of events being processed, the number of events per second (EPS) a sensor can process varies.

Depending on your environment, you may need to deploy additional sensors to ensure that all events are processed.

Warning: Be sure not to install any application outside of those already provided within your image where you are deploying your Azure Sensor.

You may want to check your system for automatically installed applications, such as OMIAgent, which must be uninstalled. Left uninstalled, such applications may make your environment or your sensor unstable.

Sensor Ports and Connectivity

Note: To launch the USM Anywhere Sensor web UI during the initial setup, you need to allow inbound traffic to the sensor IP address through TCP port 80. You can remove access to this port after the sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to this port from the Internet.

The following tables list the inbound and outbound ports.

Sensor Ports and Connectivity (Outbound Ports)
Type Ports Endpoints Purpose
TCP 443 update.alienvault.cloud Communication with LevelBlue for initial setup and future updates of the sensor.
TCP 443 reputation.alienvault.com Ongoing communication with LevelBlue Labs™ Open Threat Exchange® (OTX™).
TCP 443 otx.alienvault.com

Ongoing communication with OTX to retrieve vulnerability scores. Connecting to otx.alienvault.com is not required but highly recommended.

OTX uses the AWS CloudFront services. Refer to the AWS IP address ranges page when you deploy a new sensor. This page contains the current IP address ranges for the service and instructions on how to filter the addresses.
TCP 443

Your USM Anywhere subdomain
.alienvault.cloud

Your USM Anywhere subdomain
.gov.alienvault.us (for LevelBlue TDR for Gov)

 Ongoing communication with USM Anywhere.
SSL 443 storage-proxy.services.prod.alienvault.cloud Ongoing communication with USM Anywhere in order to send and retrieve backups.
SSL 443 metrics-proxy.services.prod.alienvault.cloud Ongoing communication with USM Anywhere in order to send metrics and messages.
SSL/TCP 443

api-parameters-<REGION>-prod.alienvault.cloud1

api-message-proxy-<REGION>-prod.alienvault.cloud

api.message-proxy.<REGION>.prod.alienvault.cloud

Ongoing communication with USM Anywhere.

It is only necessary to allowlist the address that corresponds to the region where your USM Anywhere instance is hosted.

SSL/TCP 7100

Your USM Anywhere subdomain
.alienvault.cloud

Your USM Anywhere subdomain
.gov.alienvault.us (for LevelBlue TDR for Gov)

 Ongoing communication with USM Anywhere.
UDP 53 DNS Servers (Google Default) Ongoing communication with USM Anywhere.
UDP 123

0.ubuntu.pool.ntp.org

1.ubuntu.pool.ntp.org

2.ubuntu.pool.ntp.org

3.ubuntu.pool.ntp.org

 Sync with NTP services in the Azure Cloud.
TCP 22 and 443

prod-usm-saas-tractorbeam.alienvault.cloud

prod-gov-usm-saas-tractorbeam.gov.alienvault.us (for LevelBlue TDR for Gov)

SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). communications with the USM Anywhere remote support server.

See Troubleshooting and Remote Sensor Support for more information about remote technical support through the USM Anywhere Sensor console.
TCP 443 <event-hub-namespace>.servicebus.windows.net (Optional.) Connect to Microsoft Azure Event Hubs for log collection. Replace <event-hub-namespace> with the name of your Event Hubs namespace.

If your environment includes additional services such as AMQP or Kafka, you may need to make additional ports available. See Microsoft's Troubleshooting Guide for detailed information about these potential additional port requirements.
TCP 443

api.geoip-enrichment.ap-northeast-1.prod.alienvault.cloud/geo-ip/sensor

api.geoip-enrichment.ap-south-1.prod.alienvault.cloud/geo-ip/sensor

api.geoip-enrichment.ap-southeast-1.prod.alienvault.cloud/geo-ip/sensor

api.geoip-enrichment.ap-southeast-2.prod.alienvault.cloud/geo-ip/sensor

api.geoip-enrichment.ca-central-1.prod.alienvault.cloud/geo-ip/sensor

api.geoip-enrichment.eu-central-1.prod.alienvault.cloud/geo-ip/sensor

api.geoip-enrichment.eu-west-1.prod.alienvault.cloud/geo-ip/sensor

api.geoip-enrichment.eu-west-2.prod.alienvault.cloud/geo-ip/sensor

api.geoip-enrichment.me-central-1.prod.alienvault.cloud/geo-ip/sensor

api.geoip-enrichment.sa-east-1.prod.alienvault.cloud/geo-ip/sensor

api.geoip-enrichment.us-east-1.prod.alienvault.cloud/geo-ip/sensor

api.geoip-enrichment.us-west-2.prod.alienvault.cloud/geo-ip/sensor

api.geoip-enrichment.us-gov-west-1.prod-gov.gov.alienvault.us/geo-ip/sensor (for LevelBlue TDR for Gov)

Allows resolution of IP addresses for geolocation services.

It is only necessary to allowlist the GeoIP address that corresponds to the region where your USMA instance is hosted.

Sensor Ports and Connectivity (Inbound Ports)
Type Ports Purpose
SSH 22 Inbound method for secure remote login from a computer to USM Anywhere.
HTTP 80 Inbound communication for HTTP traffic.
UDP (RFC 3164) 514 USM Anywhere collects data through syslog over UDP on port 514 by default.
TCP (RFC 3164) 601 Inbound communication for reliable syslog service. USM Anywhere collects data through syslog over TCP on port 601 by default.
TCP (RFC 5424) 602 USM Anywhere collects data through syslog over TCP on port 602 by default.
Traffic Mirroring 4789 Inbound communication for virtual extensible local area network (VXLAN).
WSMANS 5987 Inbound WBEM WS-Management HTTP over Secure Sockets Layer/Transport Layer Security (SSL/TLS) (NXLog).
TLS/TCP (RFC 3164) 6514 USM Anywhere collects TLS-encrypted data through syslog over TCP on port 6514 by default.
TLS (RFC 5424) 6515 USM Anywhere collects data through syslog over TLS on port 6515 by default.
TCP 9000 Inbound communication used internally for HTTP sensor traffic.
Graylog 12201 Inbound communication for Graylog Extended Log Format (GELF).

USM Anywhere IP Addresses for Allowlisting

Your sensor is connected to a USM Anywhere instance deployed in one of the Amazon Web Services (AWS) endpoint regions based on your location. If you need to configure your firewall to allow communication between the sensor and the USM Anywhere instance, refer to the following table with the reserved IP address ranges for each region.

Important: The Update Server and the AlienVault Agent always use the 3.235.189.112/28 range no matter where your USM Anywhere is deployed. The LevelBlue TDR for Gov Update Server uses the 3.32.190.224/28 range.

Note: The regional IP ranges listed in this table are limited to the control nodes (subdomain). You must also meet all requirements provided in the Sensor Ports and Connectivity (Outbound Ports) table.

AWS Regions Where USM Anywhere Instance Is Available
Code Name Reserved Static IP Address Ranges
ap-northeast-1 Asia Pacific (Tokyo)

18.177.156.144/28

3.235.189.112/28

44.210.246.48/28
ap-south-1 Asia Pacific (Mumbai)

3.7.161.32/28

3.235.189.112/28

44.210.246.48/28
ap-southeast-1 Asia Pacific (Singapore)

18.143.203.80/28

3.235.189.112/28

44.210.246.48/28
ap-southeast-2 Asia Pacific (Sydney)

3.25.47.48/28

3.235.189.112/28

44.210.246.48/28
ca-central-1 Canada (Central)

3.96.2.80/28

3.235.189.112/28

44.210.246.48/28
eu-central-1 Europe (Frankfurt)

18.156.18.32/28

3.235.189.112/28

44.210.246.48/28
eu-west-1 Europe (Ireland)

3.250.207.0/28

3.235.189.112/28

44.210.246.48/28
eu-west-2 Europe (London)

18.130.91.160/28

3.235.189.112/28

44.210.246.48/28
me-central-1 Middle East (UAE)

3.29.147.0/28

3.235.189.112/28

44.210.246.48/28
sa-east-1 South America (São Paulo)

18.230.160.128/28

3.235.189.112/28

44.210.246.48/28
us-east-1 US East (N. Virginia)

3.235.189.112/28

44.210.246.48/28
us-west-2 US West (Oregon)

44.234.73.192/28

3.235.189.112/28

44.210.246.48/28
us-gov-west-1 AWS GovCloud (US-West)

3.32.190.224/28

Azure Portal URLs for Proxy Bypass

The URL endpoints to allowlist on your Azure portal are specific to the Azure cloud where your environment is deployed. To allow network traffic to reach these endpoints, select your cloud environment, and then add the following list of URLs to your proxy server or firewall.

*.aadcdn.microsoftonline-p.com
*.aka.ms
*.applicationinsights.io
*.azure.com
*.azure.net
*.azureafd.net
*.azure-api.net
*.azuredatalakestore.net
*.azureedge.net
*.loganalytics.io
*.microsoft.com
*.microsoftonline.com
*.microsoftonline-p.com
*.msauth.net
*.msftauth.net
*.trafficmanager.net
*.usgovcloudapi.net (LevelBlue TDR for Gov only)
*.visualstudio.com
*.windows.net
*.windows-int.net