USM Anywhere™

Requirements for Azure Sensor Deployment

To ensure that you can successfully deploy USM Anywhere in your Microsoft Azure subscription and monitor all of your Azure resources, make sure you have the following available in your Azure environment:

  • An Azure account with privileges in the resource group or subscriptions that you want to install the USM Anywhere Sensor.

    Note: You can deploy a single USM Anywhere Sensor to monitor all of your Azure resource groups. To do this, you must assign the application you create to the entire subscription.

  • Administrative access to Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for Windows domain networks. (AD) within Azure.

    This AD access enables you to create an application required to install resource groups or a subscription for monitoring.

  • A virtual network inside the resource group.
  • A subnet inside the virtual network.
  • A storage account.

Important: USM Anywhere does not support Azure Classic accounts.

Important: Because the needs of a sensor differ based on the varying demands of different deployment environments and the complexity of events being processed, the number of events per second (EPS) throughput a sensor can process varies.

Depending on your environment, you may need to deploy additional sensors to ensure that all events are processed.

Sensor Ports and Connectivity

Note: To launch the USM Anywhere Sensor web user interface (UI) during the initial setup, you need to allow inbound traffic to the sensor IP address through TCP port 80. You can remove access to this port after the sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to this port from the Internet.

The following tables list the inbound and outbound ports.

Sensor Ports and Connectivity (Outbound Ports)
Type Ports Endpoints Purpose
TCP 443 update.alienvault.cloud Communication with AT&T Cybersecurity for initial setup and future updates of the sensor.
TCP 443 reputation.alienvault.com Ongoing communication with AT&T Alien Labs™ Open Threat Exchange® (OTX™).
TCP 443 otx.alienvault.com

Ongoing communication with OTX to retrieve vulnerability scores. Connecting to otx.alienvault.com is not required but highly recommended.

OTX uses the AWS Cloudfront services. Refer to the AWS IP address ranges page when you deploy a new sensor. This page contains the current IP address ranges for the service and for instructions on how to filter the addresses.

TCP 443

your USM Anywhere subdomain
.alienvault.cloud,

your USM Anywhere subdomain
.gov.alienvault.us (for AT&T TDR for Gov)

Ongoing communication with USM Anywhere.
SSL / TCP 7100

your USM Anywhere subdomain
.alienvault.cloud,

your USM Anywhere subdomain
.gov.alienvault.us (for AT&T TDR for Gov)

Ongoing communication with USM Anywhere.
UDP 53 DNS Servers (Google Default) Ongoing communication with USM Anywhere.
UDP 123

0.ubuntu.pool.ntp.org

1.ubuntu.pool.ntp.org

2.ubuntu.pool.ntp.org

3.ubuntu.pool.ntp.org

Sync with network time protocol (NTP) services in the Azure Cloud.
TCP 22 and 443

prod-usm-saas-tractorbeam.alienvault.cloud,

prod-gov-usm-saas-tractorbeam.gov.alienvault.us (for AT&T TDR for Gov)

SSHProgram to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through Secure Copy (SCP). communications with the USM Anywhere remote support server.

See Troubleshooting and Remote Sensor Support for more information about remote technical support through the USM Anywhere Sensor console.

TCP 443 <Event-Hub-Namespace>servicebus.windows.net (Optional.) Connect to Microsoft Azure Event Hubs for event hub log collection. Replace <Event-Hub-Namespace> with the name of your Event Hub namespace.

If your environment includes additional services such as AMQP or Kafka, you may need to make additional ports available. See Microsoft's Troubleshooting Guide for detailed information about these potential additional port requirements.

 

Sensor Ports and Connectivity (Inbound Ports)
Type Ports Purpose
SSH 22 Inbound method for secure remote login from a computer to USM Anywhere.
HTTP 80 Inbound communication for HTTP traffic.
UDP (RFC 3164) 514 USM Anywhere collects data through syslog over UDP on port 514 by default.
TCP (RFC 3164) 601 Inbound communication for reliable syslog service. USM Anywhere collects data through syslog over TCP on port 601 by default.
TCP (RFC 5424) 602 USM Anywhere collects data through syslog over TCP on port 602 by default.
Traffic Mirroring 4789 Inbound communication for virtual extensible local area network (VXLAN).
TLS/TCP (RFC 3164) 6514 USM Anywhere collects Transport Layer Security (TLS)-encrypted data through syslog over TCP on port 6514 by default.
TLS (RFC 5424) 6515 USM Anywhere collects data through syslog over TLS on port 6515 by default.
Graylog 12201 Inbound communication for Graylog Extended Log Format (GELF).

USM Anywhere IP Addresses for Whitelisting

Your sensor is connected to a USM Anywhere instance deployed in one of the Amazon Web Services (AWS) endpoint regions based on your location. If you need to configure your firewall to allow communication between the sensor and the USM Anywhere instance, refer to the following table with the reserved IP address ranges for each region.

AWS Regions where USM Anywhere Instance Is Available
Code Name Reserved Static IP Address Ranges
ap-northeast-1 Asia Pacific (Tokyo) 18.177.156.144/28
ap-south-1 Asia Pacific (Mumbai) 3.7.161.32/28
ap-southeast-2 Asia Pacific (Sydney) 3.25.47.48/28
ca-central-1 Canada (Central) 3.96.2.80/28
eu-central-1 Europe (Frankfurt) 18.156.18.32/28
eu-west-1 Europe (Ireland) 3.250.207.0/28
eu-west-2 Europe (London) 18.130.91.160/28
sa-east-1 South America (São Paulo) 18.230.160.128/28
us-east-1 US East (N. Virginia)

3.235.189.112/28

Important: The AlienVault Agent always uses the 3.235.189.112/28 range no matter where your USM Anywhere is deployed.

us-west-2 US West (Oregon) 44.234.73.192/28
us-gov-west-1 AWS GovCloud (US-West) 3.32.190.224/28

Azure Portal URLs for Proxy Bypass

The URL endpoints to whitelist on your Azure portal are specific to the Azure cloud where your environment is deployed. To allow network traffic to reach these endpoints, select your cloud environment, and then add the following list of URLs to your proxy server or firewall.

*.aadcdn.microsoftonline-p.com

*.aka.ms

*.applicationinsights.io

*.azure.com

*.azure.net

*.azureafd.net

*.azure-api.net

*.azuredatalakestore.net

*.azureedge.net

*.loganalytics.io

*.microsoft.com

*.microsoftonline.com

*.microsoftonline-p.com

*.msauth.net

*.msftauth.net

*.trafficmanager.net

*.usgovcloudapi.net (AT&T TDR for Gov only) 

*.visualstudio.com

*.windows.net

*.windows-int.net