After you initialize a new USM Anywhere Sensor, you must configure it in the Setup Wizard. As you configure the sensor, you can enable USM Anywhere to perform specific actions through scheduled jobs, such as running an asset discovery scan or collecting security events Information collected and displayed that describes a single system or user level activity that took place. from a predefined cloud storage location.
Accessing the Setup Wizard
The Setup Wizard is accessible under the following circumstances:
- After you first log in to the USM Anywhere web user interface (UI) and see the Welcome to USM Anywhere page, click Get Started to launch the Setup Wizard.
If you have already registered one USM Anywhere Sensor but did not complete the setup before logging out, the USM Anywhere Sensor Configuration page launches automatically at your next login to remind you to finalize configuration of the sensor. From that page, you click Configure to launch the Setup Wizard and complete the sensor configuration.
If you registered an additional USM Anywhere Sensor, but did not complete the setup, the Sensors page displays an error () in the Configured column. See Sensors Page Overview for more information.
Go to Data Sources > Sensors, and then click the sensor name to complete the sensor configuration. See USM Anywhere Sensor Management for more information.
Configuring the Azure Sensor in the Setup Wizard
The first time you log in from the Welcome to USM Anywhere web page, the Setup Wizard prompts you to complete the configuration of the first deployed sensor. Thereafter, you can use the Sensors page to configure an additional sensor or to change the configuration options for a deployed sensor. See Sensors Page Overview for more information.
To complete the Microsoft Azure Sensor configuration, you must obtain Azure API credentials for the subscription that you want USM Anywhere to monitor. Select the option on the Azure Credentials page that matches your current Azure credential creation status:
- If you already generated your Azure credentials, click Yes, I have my Azure credentials and am ready to enter them.
- If you don't yet have your Azure credentials, click No, I don't have my Azure credentials and need to create them.
- If you're not sure, click I am not sure. Show me how to create my Azure credentials.
If you select No or I am not sure, the page provides options for two creation methods:
If you select Yes, follow the steps in Configuring the Azure Credentials After Manual Credential Generation.
To generate Azure Credentials for Microsoft Windows users
This procedure is for Windows users who want to use the provided Power Shell script to automatically generate their credentials for sensor configuration:
Select Create credentials automatically using a Power Shell script (Recommended).
The page automatically launches a download of the Power Shell script. You can use the browser tools to save the file to the appropriate location on your system.
Run the Power Shell script as administrator on your Windows operating system (OS) from the command-line interface (CLI) shell prompt.
Important: You won't be able to answer the prompts from the script if you use Windows PowerShell Integrated Scripting Environment (ISE) to run the script.
Note: If you have multiple Azure subscriptions, the script prompts you to identify which one you want USM Anywhere to monitor.
When the script finishes, it creates a text file that saves to your desktop.
In USM Anywhere, drop the Azure credentials text file onto the displayed page or click the select USM_Anywhere_Azure_Credentials.txt from your desktop link to locate, select, and upload the file.
Verify that the status at the top of the page displays the following message:
Related Video Content
To view other related training videos, click here.
To create the Azure credentials manually
Select Learn how to create Azure credentials manually.
This opens the Create an Application and Obtain Azure Credentials page in a new browser tab or window.
- Follow the instructions for creating the needed credentials.
- Return to USM Anywhere, then click the Back button to display the first Azure Credentials page.
To configure the Azure credentials after they were generated manually
Note: This procedure is for non-Windows users who generated their Azure credentials manually and who are ready to configure the sensor.
- Select the Yes option, and in the next page click the Enter previously created Azure credentials manually link at the bottom of the page.
Enter the Azure API credentials you generated in the Azure console into the appropriate fields.
- Click Save Credentials.
Verify that the status at the top of the page displays the following message:
When the credentials are configured, click Next. The wizard displays the next page in the setup process, Azure Configuration.
After you've successfully configured the Azure credentials, the Azure Configuration page opens. This page summarizes the number of Azure virtual machines (VMs), resource groups, and VM sizes in your environment.
Important: If you are using VM scale sets to provide redundancy and load balancing in your Azure environment, the Azure Sensor does not automatically discover the scale set hosts through network scans. It does collect syslog from these hosts, but you must manually add the VMs to the USM Anywhere asset inventory.
The wizard displays the next page in the setup process, Azure Log Collection.
The Azure Log Collection page displays the following Azure logs that are automatically discovered by USM Anywhere in your environment:
- Azure REST Monitor (formerly Azure Insight)
- Azure security alerts
- Azure SQL Server logs
- Azure Internet Information Services (IIS) logs
- Azure Windows logs
Important: The Azure SQL Server job is deprecated. Use the Event Hub Integration to collect Azure SQL Server logs. See Collect Logs from Azure Event Hubs for more information.
See Azure Log Discovery and Collection in USM Anywhere for more information about Azure log discovery and collection.
To enable these out-of-box Azure log collection jobs, toggle the gray Enable icon so that it turns green. When you enable any of these log collection jobs, USM Anywhere starts collecting the log data immediately according to the preconfigured frequency. See Create a New Azure Log Collection Job if you want to add other Azure log collection jobs after the sensor configuration, including jobs for Azure Web Apps.
Note: If you go to Activity > Events in USM Anywhere post-configuration, you can see all of the events associated with each log type, including its Event ID and many other useful details. You can also review related log collection jobs in the Job Scheduler page (Settings > Scheduler). See
After you enable each job that you want, click Next.
The wizard displays the next page in the setup process, Active Directory.
The optional Active Directory (AD) Active Directory (AD) is a database and platform for Windows domain networks that connects users with their network resources. setup page configures USM Anywhere to collect information from your AD account. To monitor Microsoft Windows systems effectively, USM Anywhere needs access to the AD server to collect inventory information.
Note: This configuration is only for one AD server. If you want to scan different AD servers, you must create an AD scan job for each of them. See Scheduling Active Directory Scans from the Job Scheduler Page for more information.
AT&T Cybersecurity recommends that you create a dedicated AD account with membership in the Domain Admins group to be used by USM Anywhere to log in to the Windows systems. You also need to activate Microsoft Windows Remote Management (WinRM) in the domain controller and in all the hosts that you want to scan. You can do this by using a group policy for all the systems in your AD.
Important: Before this feature is fully functional, you must configure access to the USM Anywhere Sensor on the AD server. See Granting Access to Active Directory for USM Anywhere for more information.
To complete the AD access configuration
Provide the AD credentials for USM Anywhere:
- Active Directory IP Address: Enter the IP address for the AD server.
- Username: Enter your username as admin of the account.
- Password: Enter your admin's password.
- Domain: Enter the domain for the AD instance.
Click Scan Active Directory.
After a successful launch of the scan, a confirmation dialog box opens.
The scan continues in the background.
Upon completion, another dialog box opens and provides information about the number of assets USM Anywhere discovered. It also prompts you to decide if you want to scan for hosts and services running in your environment.
Click Cancel to opt out of this scan.
(Optional.) If you want to scan for other hosts and services, click OK.
Click Next after the scan ends.
The wizard opens the next page in the setup process, Log Management.
On the Log Management page are syslog port numbers. (These ports are the same for all USM Anywhere Sensors.)
USM Anywhere collects third-party device, system, and application data through syslog An industry standard message logging system that is used on many devices and platforms. over UDP on port 514 and over TCP on ports 601 or 602 by default. It collects Transport Layer Security (TLS)-encrypted Transport layer security. Successor to Secure Sockets Layer (SSL) protocol. Provides security for communication over the Internet between client and server applications. data through TCP on ports 6514 or 6515 by default. These ports support the RFC 3164 and RFC 5424 formats. To configure any third-party devices to send data to USM Anywhere, you must provide the IP address and the port number of your USM Anywhere Sensor.
To enable log collection and configure your log management
- Make sure that you have granted the necessary permissions for your OS to allow USM Anywhere to access its logs. You can also integrate a wide variety of data sources to send log data over syslog to the USM Anywhere Sensor.
To learn how to configure your operating systems and supported third-party devices to forward syslog log data, see the following related topics:
- The Syslog Server Sensor App: Log collection (UDP, TCP, and TLS-encrypted TCP) from rsyslog
- Collecting Linux System Logs: Log collection from a Linux system
- Collecting Windows System Logs: Log collection from a Windows system
- Go to the specific AlienApp in USM Anywhere for instructions about syslog forwarding
Note: Because the log scan can take some time, you might not see all of the automatically discovered log sources immediately after deploying the first USM Anywhere Sensor.
AT&T Alien Labs™ Open Threat Exchange® (OTX™) is an open information-sharing and analysis network providing users with the ability to collaborate, research, and receive alerts on emerging threats and indicators of compromise (IoCs) such as IP addresses, file hashes, and domains.
You must have an OTX account to receive alerts based on threats identified in OTX. This account is separate from your USM Anywhere account. Go to The World’s First Truly Open Threat Intelligence Community to create an OTX account.
Note: If you do not already have an OTX account, click the Sign up link. This opens another browser tab or window that displays the OTX signup page. After you confirm your email address, you can log in to OTX and retrieve the unique API key for your account.
See Open Threat Exchange® and USM Anywhere for more information about OTX integration in USM Anywhere.
To enable USM Anywhere to evaluate event data against the latest OTX intelligence
- Log in to OTX and open the API page (https://otx.alienvault.com/api).
In the DirectConnect API Usage pane, click the icon to copy your unique OTX connection key.
Return to the Open Threat Exchange (OTX) page of the USM Anywhere Sensor Setup Wizard and paste the value in the OTX Key text box.
Click Validate OTX Subscription Key.
With a successful validation of the key, the status at the top of the page changes to "Valid OTX key".
- Click Next when this task is complete.
The Congratulations page summarizes the status of your configuration.
Click Start Using USM Anywhere, which takes you to the Overview dashboard.
Now is a great time to run a vulnerability scan. See Vulnerability Assessment for detailed information about running a vulnerability scan.