To ensure that you can successfully deploy USM Anywhere in your Microsoft Azure subscription and monitor all of your Azure resources, make sure you have the following available in your Azure environment:
An Azure account with privileges in the resource group or subscriptions that you want to install the USM Anywhere Sensor.
Note: You can deploy a single USM Anywhere Sensor to monitor all of your Azure resource groups. To do this, you must assign the application you create to the entire subscription.
Administrative access to Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for Windows domain networks. (AD) within Azure.
This AD access allows you to create an application required to install resource groups or a subscription for monitoring.
- A virtual network inside the resource group.
- A subnet inside the virtual network.
- A storage account.
Important: Because the needs of a sensor differ based on the varying demands of different deployment environments and the complexity of events being processed, the number of events per second (EPS) throughput a sensor can process varies.
Depending on your environment, you may need to deploy additional sensors to ensure that all events are processed.
Before you deploy a USM Anywhere Sensor, you must configure your firewallVirtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them. permissions to enable the required connectivity for the new sensor. Initial deployment of a sensor requires that you open egress and outbound ports and protocols in the firewall for communication with USM Anywhere and AT&T Cybersecurity Secure Cloud resources. The sensor receives no inbound connections from outside the firewall.
Note: To launch the USM Anywhere Sensor web user interface (UI) during the initial setup, you need to allow inbound traffic to the sensor IP address through TCP port 80. You can remove access to this port after the sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to this port from the Internet.
|TCP||443||update.alienvault.cloud||Communication with AT&T Cybersecurity for initial setup and future updates of the sensor.|
|TCP||443||reputation.alienvault.com||Ongoing communication with AT&T Alien Labs™ (OTX™).|
|TCP||443||otx.alienvault.com||Ongoing communication with OTX to retrieve vulnerability scores. Connecting to otx.alienvault.com is not required but highly recommended.|
|TCP||443||your USM Anywhere subdomain
|Ongoing communication with USM Anywhere.|
|SSL / TCP||7100||your USM Anywhere subdomain
|Ongoing communication with USM Anywhere.|
|UDP||53||DNS Servers (Google Default)||Ongoing communication with USM Anywhere.|
|Sync with network time protocol (NTP) services in the AT&T Cybersecurity Secure Cloud.|
|22 and 443||prod-usm-saas-tractorbeam.alienvault.cloud||
SSHProgram to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through Secure Copy (SCP). communications with the USM Anywhere remote support server.
See Troubleshooting and Remote Sensor Support for more information about remote technical support through the USM Anywhere Sensor console.
|443||<Event-Hub-Namespace>servicebus.windows.net||(Optional.) Connect to Microsoft Azure Event Hubs for event hub log collection. Replace <Event-Hub-Namespace> with the name of your Event Hub namespace.
If your environment includes additional such as AMQP or Kafka, you may need to make additional ports available. See Microsoft's Troubleshooting Guide for detailed information about these potential additional port requirements.
|SSH||22||Inbound method for secure remote login from a computer to USM Anywhere.|
|HTTP||80||Inbound communication for HTTP traffic.|
|UDP (RFC 3164)||514||USM Anywhere collects data through syslog over UDP on port 514 by default.|
|TCP (RFC 3164)||601||Inbound communication for reliable syslog service. USM Anywhere collects data through syslog over TCP on port 601 by default.|
|TCP (RFC 5424)||602||USM Anywhere collects data through syslog over TCP on port 602 by default.|
|Traffic Mirroring||4789||Inbound communication for virtual extensible local area network (VXLAN).|
|TLS/TCP (RFC 3164)||6514||USM Anywhere collects Transport Layer Security (TLS)-encrypted data through syslog over TCP on port 6514 by default.|
|TLS (RFC 5424)||6515||USM Anywhere collects data through syslog over TLS on port 6515 by default.|
|GrayLog||12201||Inbound communication for Graylog Extended Log Format (GELF).|
Azure Portal URLs for Proxy Bypass
The URL endpoints to safelist for the Microsoft Azure portal are specific to the Azure cloud where your environment is deployed. To allow network traffic to these endpoints to bypass restrictions, select your cloud. Then, add the following list of URLs to your proxy server or firewall.