To ensure that you can successfully deploy USM Anywhere in your Microsoft Azure subscription and monitor all of your Azure resources, make sure you have the following available in your Azure environment:
-
An Azure account with privileges in the resource group or subscriptions that you want to install the USM Anywhere Sensor.
Note: You can deploy a single USM Anywhere Sensor to monitor all of your Azure resource groups. To do this, you must assign the application you create to the entire subscription.
-
Administrative access to Active DirectoryActive Directory (AD) is a database and platform for Windows domain networks that connects users with their network resources. (AD) within Azure.
This AD access enables you to create an application required to install resource groups or a subscription for monitoring.
- A virtual network inside the resource group.
- A subnet inside the virtual network.
- A storage account.
Important: USM Anywhere does not support Azure Classic accounts.
Important: Because the needs of a sensor differ based on the varying demands of different deployment environments and the complexity of events being processed, the number of events per second (EPS) throughput a sensor can process varies.
Depending on your environment, you may need to deploy additional sensors to ensure that all events are processed.
Warning: Be sure not to install any application outside of those already provided within your image where you are deploying your Azure Sensor.
You may want to check your system for automatically installed applications, such as OMIAgent, which must be uninstalled. Left uninstalled, such applications may make your environment or your sensor unstable.
Sensor Ports and Connectivity
Note: To launch the USM Anywhere Sensor web UI during the initial setup, you need to allow inbound traffic to the sensor IP address through TCP port 80. You can remove access to this port after the sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to this port from the Internet.
The following tables list the inbound and outbound ports.
| Type | Ports | Endpoints | Purpose |
|---|---|---|---|
| TCP | 443 | update.alienvault.cloud | Communication with AT&T Cybersecurity for initial setup and future updates of the sensor. |
| TCP | 443 | reputation.alienvault.com | Ongoing communication with AT&T Alien Labs™ Open Threat Exchange® (OTX™). |
| TCP | 443 | otx.alienvault.com |
Ongoing communication with OTX to retrieve vulnerability scores. Connecting to otx.alienvault.com is not required but highly recommended. OTX uses the AWS Cloudfront services. Refer to the AWS IP address ranges page when you deploy a new sensor. This page contains the current IP address ranges for the service and instructions on how to filter the addresses. |
| TCP | 443 |
Your USM Anywhere subdomain Your USM Anywhere subdomain |
Ongoing communication with USM Anywhere. |
| SSL/TCP | 7100 |
Your USM Anywhere subdomain Your USM Anywhere subdomain |
Ongoing communication with USM Anywhere. |
| UDP | 53 | DNS Servers (Google Default) | Ongoing communication with USM Anywhere. |
| UDP | 123 |
0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org |
Sync with NTP services in the Azure Cloud. |
| TCP | 22 and 443 |
prod-usm-saas-tractorbeam.alienvault.cloud prod-gov-usm-saas-tractorbeam.gov.alienvault.us (for AT&T TDR for Gov) |
SSHProgram to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). communications with the USM Anywhere remote support server. See Troubleshooting and Remote Sensor Support for more information about remote technical support through the USM Anywhere Sensor console. |
| TCP | 443 | <event-hub-namespace>.servicebus.windows.net | (Optional.) Connect to Microsoft Azure Event Hubs for log collection. Replace <event-hub-namespace> with the name of your Event Hubs namespace. If your environment includes additional services such as AMQP or Kafka, you may need to make additional ports available. See Microsoft's Troubleshooting Guide for detailed information about these potential additional port requirements. |
| TCP | 443 |
geoip-us-west-2-prod.alienvault.cloud geoip-us-east-1-prod.alienvault.cloud geoip-sa-east-1-prod.alienvault.cloud geoip-eu-west-1-prod.alienvault.cloud geoip-eu-west-2-prod.alienvault.cloud geoip-eu-central-1-prod.alienvault.cloud geoip-ca-central-1-prod.alienvault.cloud geoip-ap-southeast-2-prod.alienvault.cloud geoip-ap-northeast-1-prod.alienvault.cloud |
Allows resolution of IP addresses for geolocation services. It is only necessary to allow list the GeoIP address that corresponds to the region where your USMA instance is hosted. |
| Type | Ports | Purpose |
|---|---|---|
| SSH | 22 | Inbound method for secure remote login from a computer to USM Anywhere. |
| HTTP | 80 | Inbound communication for HTTP traffic. |
| UDP (RFC 3164) | 514 | USM Anywhere collects data through syslog over UDP on port 514 by default. |
| TCP (RFC 3164) | 601 | Inbound communication for reliable syslog service. USM Anywhere collects data through syslog over TCP on port 601 by default. |
| TCP (RFC 5424) | 602 | USM Anywhere collects data through syslog over TCP on port 602 by default. |
| Traffic Mirroring | 4789 | Inbound communication for virtual extensible local area network (VXLAN). |
| WSMANS | 5987 | Inbound WBEM WS-Management HTTP over Secure Sockets Layer/Transport Layer Security (SSL/TLS) (NXLog). |
| TLS/TCP (RFC 3164) | 6514 | USM Anywhere collects TLS-encrypted data through syslog over TCP on port 6514 by default. |
| TLS (RFC 5424) | 6515 | USM Anywhere collects data through syslog over TLS on port 6515 by default. |
| TCP | 9000 | Inbound communication used internally for HTTP sensor traffic. |
| Graylog | 12201 | Inbound communication for Graylog Extended Log Format (GELF). |
USM Anywhere IP Addresses for Whitelisting
Important: The Update Server and the AlienVault Agent always use the 3.235.189.112/28 range no matter where your USM Anywhere is deployed. The AT&T TDR for Gov Update Server uses the 3.32.190.224/28 range.
| Code | Name | Reserved Static IP Address Ranges |
|---|---|---|
| ap-northeast-1 | Asia Pacific (Tokyo) |
18.177.156.144/28 3.235.189.112/28 44.210.246.48/28 |
| ap-south-1 | Asia Pacific (Mumbai) |
3.7.161.32/28 3.235.189.112/28 44.210.246.48/28 |
| ap-southeast-2 | Asia Pacific (Sydney) |
3.25.47.48/28 3.235.189.112/28 44.210.246.48/28 |
| ca-central-1 | Canada (Central) |
3.96.2.80/28 3.235.189.112/28 44.210.246.48/28 |
| eu-central-1 | Europe (Frankfurt) |
18.156.18.32/28 3.235.189.112/28 44.210.246.48/28 |
| eu-west-1 | Europe (Ireland) |
3.250.207.0/28 3.235.189.112/28 44.210.246.48/28 |
| eu-west-2 | Europe (London) |
18.130.91.160/28 3.235.189.112/28 44.210.246.48/28 |
| sa-east-1 | South America (São Paulo) |
18.230.160.128/28 3.235.189.112/28 44.210.246.48/28 |
| us-east-1 | US East (N. Virginia) |
3.235.189.112/28 44.210.246.48/28 |
| us-west-2 | US West (Oregon) |
44.234.73.192/28 3.235.189.112/28 44.210.246.48/28 |
| us-gov-west-1 | AWS GovCloud (US-West) |
3.32.190.224/28 |
Azure Portal URLs for Proxy Bypass
The URL endpoints to whitelist on your Azure portal are specific to the Azure cloud where your environment is deployed. To allow network traffic to reach these endpoints, select your cloud environment, and then add the following list of URLs to your proxy server or firewall.
*.aadcdn.microsoftonline-p.com
*.aka.ms
*.applicationinsights.io
*.azure.com
*.azure.net
*.azureafd.net
*.azure-api.net
*.azuredatalakestore.net
*.azureedge.net
*.loganalytics.io
*.microsoft.com
*.microsoftonline.com
*.microsoftonline-p.com
*.msauth.net
*.msftauth.net
*.trafficmanager.net
*.usgovcloudapi.net (AT&T TDR for Gov only)
*.visualstudio.com
*.windows.net
*.windows-int.net
Feedback